Your security scanner may be the attacker’s entry point. On 2 July 2026, the FBI published an urgent FLASH advisory (FLASH-20260702-01) revealing that a sophisticated criminal group called TeamPCP had successfully poisoned four widely-deployed developer and security tools — including a vulnerability scanner that thousands of enterprises trust to protect their containers. The result: cloud access tokens, SSH keys, Kubernetes secrets, and even cryptocurrency wallet data silently exfiltrated from CI/CD pipelines across the globe before anyone noticed.

This is not a hypothetical supply chain risk. The packages have already been trojanised. The credentials are already being monetised. If your engineering teams use Trivy, KICS, LiteLLM, or the Telnyx Python SDK — and have not rotated secrets since early July — you may already be compromised.

Key Takeaways

  • FBI FLASH-20260702-01 (2 July 2026) names TeamPCP as the group behind a large-scale software supply chain compromise.
  • Four trusted tools were poisoned: Trivy (container vulnerability scanner), KICS (IaC static analyser), LiteLLM (AI model API router), and the Telnyx Python SDK.
  • Malware deployed includes CanisterWorm, SANDCLOCK, Miasma, and Mini Shai-Hulud — a self-replicating worm that independently propagates across npm and PyPI.
  • Stolen data: AWS, GCP, and Azure access tokens; SSH keys; Kubernetes ServiceAccount tokens; and cryptocurrency wallet credentials.
  • TeamPCP escalates to extortion — publishing victim names on a leak site and demanding payment to suppress disclosure.
  • Immediate action required: rotate all CI/CD secrets, pin GitHub Actions to verified commit hashes, and enforce a minimum seven-day package age before installation.

Who Is TeamPCP? Anatomy of a Supply Chain Threat Actor

TeamPCP represents a new breed of financially motivated threat actor operating at the intersection of cybercrime and software supply chain exploitation. Unlike ransomware groups that breach a network and encrypt files, TeamPCP’s methodology is more insidious: they weaponise the very tools that development and security teams trust implicitly.

The group’s operational model combines credential harvesting at scale with a secondary extortion layer. After quietly siphoning cloud credentials and authentication material, TeamPCP publishes victim names on a public leak site — threatening to release sensitive data unless demands are met. This dual monetisation strategy maximises financial return: stolen credentials can be sold on dark-web markets while simultaneously serving as leverage for extortion.

The FBI FLASH notes that TeamPCP collaborated with other threat actors to monetise exfiltrated data, suggesting a well-connected criminal ecosystem rather than an isolated operation. Two confirmed exfiltration staging points were GitHub repositories named tpcp-docs and docs-tpcp — names engineered to blend in with legitimate documentation repos. Malicious infrastructure also spanned domains such as checkmarx[.]zone, models.litellm[.]cloud, and git-tanstack[.]com.

The Attack Method: How Trusted Packages Were Weaponised

The attack chain begins with a technique that is deceptively simple but devastatingly effective: injecting malicious code into legitimate, widely-used open-source packages. TeamPCP exploited stale or expired npm maintainer account recovery domains to take over publishing rights — a supply chain attack vector the security community has warned about for years but that remains chronically under-addressed across the industry.

Once in control of a package’s publishing pipeline, the group pushed trojanised updates that appeared completely normal to developers and automated dependency managers. The poisoned packages were distributed through standard channels — npm and PyPI — and were installed by CI/CD pipeline runners that had no reason to distrust them. Trojanised updates appeared legitimate, enabling mass deployment into enterprise pipelines across thousands of downstream systems before detection.

The four confirmed compromised tools span critical functions in modern DevSecOps workflows:

Tool Primary Function Why It Is a High-Value Target
Trivy Container & IaC vulnerability scanner Runs with privileged cloud registry access in CI/CD; scans container images requiring broad read permissions
KICS Infrastructure-as-Code static analysis Reads Terraform, CloudFormation, and Kubernetes manifests that routinely reference credentials and secrets
LiteLLM AI model API routing library Holds API keys for multiple AI providers simultaneously; increasingly embedded in enterprise AI-enabled pipelines
Telnyx Python SDK Telecom API integration Stores communication API credentials used across enterprise messaging and notification workflows

Four CVEs have been associated with this campaign by the FBI: CVE-2026-33634, CVE-2026-48027, CVE-2026-45321, and CVE-2025-55182. Organisations should verify these identifiers against their vulnerability management platforms and prioritise accordingly.

Technical Breakdown: Four Malware Components, One Devastating Goal

TeamPCP deployed a purpose-built malware toolkit comprising four distinct components, each playing a specific role in the credential-theft operation:

CanisterWorm serves as the primary harvester, designed to sweep CI/CD environments for cloud access tokens and API keys across AWS, Google Cloud Platform, and Microsoft Azure. It specifically targets the environment variables and configuration files that pipeline runners populate with service account credentials at runtime.

SANDCLOCK casts a wider net, extracting AWS credentials, Kubernetes ServiceAccount tokens — which can grant cluster-wide privileges when RBAC is misconfigured — local environment variables, and cryptocurrency wallet data. The inclusion of crypto wallet targeting indicates that TeamPCP’s operators are prepared to monetise every credential type available, not just corporate cloud accounts.

Mini Shai-Hulud is arguably the most dangerous component: a self-replicating supply chain worm that operates autonomously across npm and PyPI registries. Once introduced into a package ecosystem, it propagates independently — harvesting credentials and poisoning configuration files as it spreads through downstream dependencies. This autonomous propagation means the blast radius extends far beyond the four initially named packages, and remediation is not as simple as removing a single dependency.

Miasma is a variant of Mini Shai-Hulud, operating similarly across open-source registries while simultaneously poisoning configuration files to establish persistence and facilitate ongoing credential harvesting after initial deployment.

The combination of a targeted credential harvester, a broad-spectrum extractor, and a self-replicating worm in a single toolkit demonstrates a level of operational sophistication that places TeamPCP well above opportunistic threat actors. This is a calculated, well-resourced campaign.

What Was Stolen — and What Attackers Can Do With It

The categories of stolen data read like a master key to enterprise cloud infrastructure. With cloud access tokens for AWS, GCP, or Azure, an attacker can provision resources, exfiltrate data from storage buckets, create backdoor IAM users, or deploy cryptomining workloads — all appearing as legitimate activity within your cloud billing and audit logs.

SSH keys provide direct, persistent access to production servers, jump hosts, and bastion instances without triggering password-based authentication alerts. Kubernetes ServiceAccount tokens, depending on RBAC configuration, can grant cluster-admin-level access — enabling an attacker to deploy arbitrary pods, read secrets across all namespaces, or exfiltrate an entire cluster’s configuration data. Environment variables harvested from pipeline runners are a rich trove of database connection strings, third-party API keys, and internal service credentials.

The FBI advisory is explicit that TeamPCP treats exfiltrated credentials as permanently compromised. Even after rotation, stolen credentials may have already been used to create backdoor IAM accounts, sold to secondary threat actors, or leveraged to establish persistent footholds that outlast the original session token.

What Indian Enterprises Must Do Right Now: Sanjay Seth’s Expert Playbook

As a cybersecurity consultant who architects zero-trust environments for Indian enterprises, I want to be direct: this attack is a textbook illustration of why implicit trust in your own toolchain is a critical vulnerability. A zero-trust model demands that no software, no pipeline, no internal service be trusted by default — and that principle must extend into your DevSecOps workflows as urgently as it applies to your user identity layer.

Here is a prioritised response plan grounded in the FBI’s own recommendations and zero-trust principles:

Immediate (within 24 hours):

  1. Rotate all CI/CD secrets immediately — cloud provider access tokens, package registry publishing tokens, SSH deploy keys, and any API keys accessible to pipeline runners. Do not wait to confirm exposure; assume compromise and rotate proactively.
  2. Audit your pipelines for the four named tools — search Dockerfiles, requirements.txt, package.json, and workflow YAML files for Trivy, KICS, LiteLLM, and the Telnyx Python SDK. If found, cross-reference installed versions against vendor security advisories.
  3. Search your GitHub organisation for repositories named tpcp-docs or docs-tpcp — these were TeamPCP’s exfiltration staging repositories.
  4. Block known malicious infrastructure at your firewall and DNS filter: domains checkmarx[.]zone, models.litellm[.]cloud, git-tanstack[.]com, and IP addresses 83.142.209.11, 45.148.10.212, 83.142.209.194, 83.142.209.203, 94.154.172.43, and 67.217.57.240.

Short-term (within one week):

  1. Pin GitHub Actions workflows to verified commit SHA hashes rather than floating tags such as @v3. A tag can be silently repointed to malicious code; a commit hash cannot be altered without detection.
  2. Enforce a minimum seven-day package age before any dependency can be installed in production pipelines. This single policy would have blocked the initial TeamPCP poisoning.
  3. Enable phishing-resistant MFA (FIDO2/WebAuthn) on all code repository accounts and package registry publishing accounts to prevent account takeover via expired recovery domains — the vector TeamPCP used to gain publishing access.
  4. Scope registry publishing tokens to individual repositories, preventing a single compromised token from enabling cross-repository supply chain poisoning.
  5. Deploy runtime behavioural monitoring on CI/CD pipeline runners to detect unexpected outbound connections, anomalous credential access patterns, or unusual process spawning during builds.

Strategic (zero-trust realignment for Indian enterprises):

India’s IT services sector — which manages CI/CD infrastructure for global clients across BFSI, pharmaceuticals, and manufacturing — faces a multiplied exposure risk here. A compromised pipeline at a managed services provider does not just affect the MSP; it affects every client whose code passes through those runners. If you manage third-party code on behalf of clients, your risk is categorical, not marginal. A formal zero-trust security assessment of your CI/CD and developer toolchain should be on your July agenda. If your pipeline runners operate with persistent, over-privileged credentials rather than short-lived, scope-limited tokens granted just-in-time, TeamPCP’s playbook will work against you.

For NOC and SOC teams: add TeamPCP’s known IOCs to your SIEM immediately, and create alert rules for outbound connections to the flagged domains and IP ranges. Correlate with any recent unusual cloud API calls or new IAM account creation events in your cloud environments. An effective SOC with proper RMM hygiene would already be monitoring toolchain integrity — this incident is a reminder to extend that coverage to the build pipeline layer.

Frequently Asked Questions

How do I know if my organisation was affected by the TeamPCP supply chain attack?

Check your CI/CD pipeline logs for installations of Trivy, KICS, LiteLLM, or the Telnyx Python SDK during the exposure window (approximately mid-June through early July 2026). Look for outbound network connections to the malicious domains and IP addresses listed in the FBI advisory. If any pipeline runner had these tools installed and had access to cloud credentials, SSH keys, or Kubernetes tokens, treat those credentials as compromised and rotate them immediately, regardless of whether you find direct evidence of exfiltration. Report confirmed incidents to IC3.gov or your local FBI field office.

Is updating the affected packages to the latest clean version sufficient remediation?

No. Updating to clean versions is necessary to prevent future infections but does not undo credential exfiltration that may have already occurred. The malicious code executed during past pipeline runs, harvesting credentials before the update. You must rotate all potentially exposed credentials regardless of whether you have updated the packages. Treat this as a two-track remediation: update the packages and rotate all secrets accessible to the pipeline during the exposure window.

Why did TeamPCP specifically target security tools like Trivy and KICS?

Security and scanning tools are a particularly high-value supply chain attack target for two reasons. First, they typically run with broad permissions — a container scanner needs read access to cloud registries; an IaC analyser needs to parse files that often contain credential references. Second, security teams tend to trust their own security tooling implicitly, applying far less scrutiny to security tools than to application dependencies. TeamPCP exploited exactly this trust asymmetry: the tools designed to keep you safe became the attack vector.

What is the specific risk for Indian IT and managed services organisations?

Indian IT services companies operating as managed service providers for global clients carry a multiplied risk: a single compromised build pipeline can expose credentials for multiple client cloud environments simultaneously. Additionally, many Indian enterprises have not yet implemented minimum package age policies, CI/CD secret scoping, or GitHub Actions pinning — the three controls that would have provided the most direct protection against this specific attack. The CERT-In reporting obligation under India’s IT Act also means that confirmed credential exposure triggering cloud infrastructure access may constitute a reportable incident within six hours of discovery.

Act Before Your Pipeline Becomes the Breach

TeamPCP’s operation is a reminder that in 2026, your attack surface extends to every tool your developers install without a second thought. The FBI FLASH is unambiguous: credentials are already out the door for a significant number of organisations. The question is not whether to act — it is how quickly you can contain the blast radius and verify whether your environment was in scope.

If your organisation needs a rapid assessment of your CI/CD security posture, developer toolchain exposure, or zero-trust architecture gaps, reach out to Sanjay Seth for a confidential security consultation. An independent review of your pipeline security today is substantially less costly than a breach notification, regulatory penalty, or client trust deficit tomorrow.

Sources: FBI FLASH-20260702-01 | Security Affairs | CybersecurityNews | HSToday | CyberPress