AgenceEvana
Back to bulletins
Critical2026-03-26CVSS 9.4CVE-2026-33634 (2026-03-21)supply-chainci-cdteampcpgithub-actionskubernetesdocker

TeamPCP — Anatomy of a Supply Chain Campaign That Hit the Cloud-Native Ecosystem

The TeamPCP group ran the most impactful supply chain campaign of 2026, compromising Trivy, Checkmarx, LiteLLM, 47+ npm packages and over 60,000 servers — all from a single GitHub token stolen by an autonomous AI agent.

Who is TeamPCP?

TeamPCP (aka DeadCatx3, PCPcat, ShellForce, CanisterWorm) is a hybrid cybercrime group active since at least July 2025. The group claims over 700 members and a track record of compromises affecting Canada, Serbia, South Korea, the UAE, and the United States. Links with Lapsus$ have been identified.

Their specialties: Docker and Kubernetes API exploitation, supply chain attacks, ransomware, cryptomining, and self-propagating worms.

Full Campaign Timeline

Phase 0 — Initial Access via AI Agent (February 27-28, 2026)

An autonomous AI agent named hackerbot-claw exploited a misconfigured pull_request_target GitHub Actions workflow to steal a privileged Personal Access Token (PAT) from Aqua Security. Aqua responded, but credential rotation was not atomic — the attacker retained access during the rotation window.

Phase 1 — Trivy (March 19)

Using the surviving credentials, TeamPCP force-pushed 75 of 76 version tags of aquasecurity/trivy-action to malicious commits containing an encrypted infostealer. A malicious Trivy binary v0.69.4 was published via the compromised aqua-bot service account.

Phase 2 — Docker Hub & Defacement (March 22)

  • Malicious Docker Hub images Trivy v0.69.5 and v0.69.6 published
  • All 44 repositories in Aqua Security's GitHub organization defaced within minutes

Phase 3 — Checkmarx (March 23)

35 tags hijacked in checkmarx/kics-github-action and checkmarx/ast-github-action. Malicious VS Code extensions published on OpenVSX (cx-dev-assist 1.7.0, ast-results 2.53.0). The payload now includes a Kubernetes persistence module.

Phase 4 — LiteLLM & npm (March 24)

Two malicious versions of the litellm Python package published on PyPI using credentials stolen during the Trivy compromise. In parallel, launch of CanisterWorm — a worm that compromised 47+ npm packages by injecting malicious code into postinstall hooks.

Techniques and Infrastructure

Payload — "TeamPCP Cloud Stealer"

Targeted data: SSH keys, cloud credentials (AWS, GCP, Azure), Kubernetes tokens, Docker credentials, database passwords, private TLS keys, crypto wallets.

Data is harvested directly from CI/CD runner memory, encrypted with AES-256 + RSA-4096, and exfiltrated.

Takedown-Resistant C2 Infrastructure

TeamPCP uses canisters on the Internet Computer Protocol (ICP) — a decentralized blockchain — as C2 infrastructure. This approach makes the infrastructure nearly impossible to take down through traditional channels (no registrar, no hosting provider to contact).

  • Typosquatted domains: scan.aquasecurtiy.org, checkmarx.zone
  • Blockchain fallback: ICP canisters serving kamikaze.sh
  • Exfiltration via automatically created GitHub repositories (tpcp-docs, docs-tpcp)

Tactical Innovation

  • AI agent for initial access (hackerbot-claw)
  • Credential cascade: a single stolen token pivots from Trivy → Checkmarx → LiteLLM → npm
  • Git tag mutability systematically exploited
  • Kubernetes persistence in later payload variants

Global Impact

  • 60,000+ servers compromised worldwide
  • Thousands of CI/CD pipelines affected via GitHub Actions
  • 47+ npm packages infected via CanisterWorm
  • Exposure windows of 3 to 12 hours per vector

Indicators of Compromise (IOCs)

C2 domains: scan.aquasecurtiy.org, checkmarx.zone

IP addresses: 45.148.10.212, 83.142.209.11

ICP canister: tdtqy-oyaaa-aaaae-af2dq-cai

Exfiltration repos: tpcp-docs / docs-tpcp

Artifacts: tpcp.tar.gz, payload.enc

Malware ID: "TeamPCP Cloud stealer"

Remediation

  1. Audit all GitHub Actions workflows run between March 19-24, 2026 — look for outbound connections to the IOCs above.
  2. Full secret rotation for any pipeline that used Trivy, Checkmarx KICS/AST, or LiteLLM during the window.
  3. Pin all GitHub Actions by commit SHA — never use mutable tags.
  4. Audit npm packages in your projects for unusual postinstall hooks.
  5. Check your Kubernetes clusters for unknown workloads (TeamPCP persistence).
  6. Search for tpcp-docs or docs-tpcp repositories in your GitHub organizations.

Lessons Learned

This campaign is a textbook case: a single stolen token, exploited in cascade, enabled the compromise of the entire cloud-native security tooling ecosystem. The implicit trust granted to security scanners in CI/CD pipelines has become the primary attack vector. The use of an AI agent for initial access marks a significant evolution in cybercrime group TTPs.

Back to bulletins