TeamPCP's Dual Supply-Chain Attacks on Checkmarx KICS and elementary-data Expose CI/CD Credential Theft at Scale
Trend Micro reveals how TeamPCP compromised Checkmarx KICS and elementary-data in April 2026, using poisoned CI/CD pipelines to steal credentials and sign malicious packages with legitimate keys.
Trend Micro Research has published a detailed analysis of two supply-chain attacks executed by the threat actor TeamPCP in April 2026, targeting Checkmarx KICS and elementary-data. The campaign, which spanned at least seven waves from March 19 to April 24, demonstrates a sophisticated playbook for credential theft at scale. By abusing trusted build pipelines, TeamPCP was able to poison multiple distribution channels and harvest sensitive credentials from developer environments.
The Checkmarx KICS attack, which occurred on April 22, was operationally complex. TeamPCP simultaneously poisoned three distribution channels: Docker Hub, VS Code/OpenVSX, and GitHub Actions. The attackers used an obfuscated payload executed via a downloaded runtime and, within 24 hours, leveraged stolen npm tokens to hijack the @bitwarden/cli package downstream. This multichannel approach maximized the reach of the credential theft, targeting GitHub PATs, npm tokens, cloud credentials, SSH keys, Kubernetes secrets, and cryptocurrency wallet keystores.
The elementary-data attack on April 24 was technically simpler but perhaps more alarming. A single unsanitized pull request comment allowed TeamPCP to obtain a runner token, forge a tagged release commit, and invoke the project's own signing infrastructure. The resulting malicious package was signed by legitimate CI and published to PyPI and GitHub Container Registry (GHCR), passing all standard verification checks. The stealer also made live Amazon Web Services (AWS) API calls to enumerate and pull secrets from Secrets Manager and SSM Parameter Store, going beyond files stored on disk.
Trend Micro's analysis reveals that TeamPCP, internally tracked as SHADOW-WATER-058, is a financially motivated cluster. The actor's identity and geographic origin carry low confidence, but the campaign is linked to the Vect ransomware group, which began publishing victims on April 15, 2026, using credentials stolen by TeamPCP. The attackers used consistent C&C infrastructure patterns, actor-branded exfiltration headers, and a Session messenger identifier embedded as an XOR cipher seed across multiple payloads, providing a clear cross-campaign marker.
Organizations using GitHub Actions, PyPI, Docker Hub, GHCR, VS Code extensions, and cloud-connected CI runners are directly exposed to this risk. The elementary-data incident showed that maintainer credentials did not need to be stolen first—one unsanitized pull request comment was enough to turn the project's CI into the attacker's release channel. Trend Micro recommends enforcing the principle of least privilege to limit damage when a trusted workflow or artifact is abused.
This campaign underscores the growing threat of supply-chain attacks targeting CI/CD pipelines. As developers increasingly rely on automated build and release processes, attackers are finding new ways to exploit trust. The TeamPCP case studies highlight the need for rigorous input validation, strict access controls, and continuous monitoring of build environments to prevent similar compromises.