VYPR
advisoryPublished Jul 3, 2026· 1 source

FBI Warns of TeamPCP Supply Chain Attacks Targeting Developer Tools

The FBI has issued a warning about TeamPCP, a threat group compromising developer tools like Trivy and KICS to steal cloud credentials, SSH keys, and Kubernetes secrets in large-scale supply chain attacks.

The FBI has issued a stark warning regarding TeamPCP, a sophisticated threat group orchestrating extensive software supply chain attacks by compromising trusted developer and security tools. These attacks aim to inject malicious code into widely used packages, thereby gaining access to sensitive cloud credentials, SSH keys, and Kubernetes secrets, which can ultimately lead to full compromise of corporate networks.

TeamPCP's modus operandi involves subtly injecting malicious code into legitimate software packages. By tampering with components and dependencies of popular tools such as Trivy, KICS, LiteLLM, and the Telnyx Python SDK, the group has successfully distributed trojanized updates that appear benign to unsuspecting developers. Given that these tools are integral to enterprise continuous integration and continuous delivery (CI/CD) pipelines, a single compromised update can silently infiltrate thousands of downstream systems before detection.

Once deployed, these tainted packages establish persistent footholds within developer environments by secretly installing credential-stealing malware and backdoors. This allows TeamPCP to conduct further reconnaissance and exfiltrate additional sensitive data from cloud infrastructure over time. The group has also escalated its activities by engaging in extortion, publicly listing victim names on a leak site and threatening to release stolen data unless ransom demands are met, adding a layer of public pressure to their operations.

Several custom malware families are central to TeamPCP's arsenal. CanisterWorm is designed to harvest cloud access tokens and API keys for major cloud providers like AWS, Google Cloud, and Microsoft Azure. Complementing this, SANDCLOCK extracts AWS credentials, Kubernetes ServiceAccount tokens, environment variables, and cryptocurrency wallet data from infected systems. The group also deploys Mini Shai-Hulud, a self-propagating worm that spreads autonomously across the npm and PyPI open-source ecosystems, with a variant called Miasma also poisoning configuration files.

The FBI urges organizations suspecting compromise by TeamPCP to report incidents, providing details on affected packages, CI/CD logs, network logs, and any extortion messages. Defensive recommendations include pinning GitHub Actions workflows to verified commit hashes, rotating all potentially exposed CI/CD secrets and cloud credentials, and searching GitHub organizations for specific repositories created by the worm.

Further mitigation strategies recommended by the FBI involve enforcing the principle of least privilege for CI/CD service accounts, mandating phishing-resistant multi-factor authentication for repository access, and establishing a minimum age threshold for newly installed packages. Maintaining offline, immutable backups of critical repositories is also advised to reduce the likelihood and impact of a TeamPCP compromise.

The FBI's warning highlights the critical need for enhanced vigilance within software development lifecycles. The compromise of trusted tools represents a significant threat, as it leverages the inherent trust developers place in their toolchains. Organizations must implement robust security practices throughout their CI/CD pipelines to detect and prevent such sophisticated supply chain attacks.

This campaign underscores a broader trend of threat actors targeting the software supply chain to achieve widespread impact. By compromising foundational development tools, groups like TeamPCP can bypass traditional perimeter defenses and gain access to a vast number of downstream targets, making proactive security measures and rapid incident response paramount.

Synthesized by Vypr AI