LAST UPDATED Loading...

FBI Issues FLASH Warning on TeamPCP Supply Chain Attacks and Extortion Activity

The FBI has published a FLASH advisory detailing TeamPCP's software supply chain attacks, malware, extortion activity, and recommendations for affected organizations.
Graphic illustrating the FBI’s FLASH advisory on TeamPCP, featuring the FBI seal, a stylized blockchain supply chain, a red warning icon, and the headline “FBI FLASH Warning on TeamPCP Supply Chain Attacks and Extortion Activity” against a dark purple background with lightning.

The FBI has issued a new FLASH advisory detailing the tactics, techniques, and procedures used by TeamPCP, a financially motivated cybercrime group behind several high-profile software supply chain attacks throughout 2026. The advisory warns that the group has compromised trusted developer tools, stolen cloud credentials and source code, and expanded into extortion by threatening to publish stolen data.

The advisory provides organizations with indicators of compromise (IOCs), malware details, and mitigation guidance while urging any organization that suspects TeamPCP activity to contact the FBI. The FLASH was coordinated with DHS/CISA and is marked TLP:CLEAR.

Supply chain compromises targeted trusted developer tools

According to the FBI, TeamPCP compromised legitimate software distribution channels by injecting malicious code into widely used packages and development dependencies. The modified software delivered credential-stealing malware and persistent backdoors while appearing to be legitimate updates.

The advisory identifies compromises involving Trivy, Checkmarx KICS, LiteLLM, and the Telnyx Python SDK. These tools are commonly integrated into enterprise CI/CD pipelines, cloud infrastructure, and application development workflows, allowing malicious updates to spread into downstream environments.

Once deployed, TeamPCP reportedly harvested sensitive authentication material including cloud access tokens, SSH keys, Kubernetes secrets, API credentials, and other privileged information from compromised systems.

FBI details malware used by TeamPCP

The advisory attributes multiple malware families to TeamPCP operations.

CanisterWorm is described as harvesting credentials and authentication material from cloud providers including AWS, Microsoft Azure, and Google Cloud Platform.

SANDCLOCK steals AWS credentials, Kubernetes ServiceAccount tokens, local environment variables, and cryptocurrency wallet data.

The FBI also highlights Mini Shai-Hulud, a self-replicating supply chain worm capable of spreading across npm and PyPI ecosystems, along with Miasma, a related variant designed to harvest credentials while poisoning development environments.

Extortion activity now part of TeamPCP operations

Beyond software supply chain attacks, the FBI states TeamPCP has engaged in extortion alongside other cybercriminal groups by publishing victim names on a public leak site and threatening to release stolen data.

The advisory warns organizations to treat stolen credentials and exfiltrated data as a long-term security risk even after initial access has been removed, noting that affiliated threat actors may continue abusing compromised secrets long after the original intrusion.

This marks one of the clearest public acknowledgements from U.S. law enforcement that TeamPCP’s operations now extend beyond credential theft into data extortion and broader criminal collaboration.

Organizations urged to rotate credentials immediately

The FBI recommends organizations rotate all CI/CD secrets, cloud credentials, and publishing tokens that may have been exposed during TeamPCP activity. Additional recommendations include pinning GitHub Actions workflows to verified commit hashes, enforcing phishing-resistant multi-factor authentication, applying least-privilege access controls, monitoring CI/CD pipelines for abnormal behavior, auditing third-party integrations, and implementing integrity verification for published software artifacts.

The advisory also includes indicators of compromise including IP addresses, domains, malware hashes, affected CVEs, and detection guidance for incident responders.

The complete FBI FLASH advisory is available here: Cyber Criminal Group TeamPCP (PDF).

BreachNews has tracked TeamPCP throughout 2026

TeamPCP has been the focus of numerous BreachNews investigations throughout 2026, including coverage of the Bitwarden CLI supply chain compromise, the Mini Shai-Hulud malware campaign, the Mercor supply chain attack, and the OpenAI breach linked to Mini Shai-Hulud.

The FBI advisory represents the first comprehensive U.S. government summary of TeamPCP’s operations, consolidating months of security research into a single public document while confirming the group’s continued threat to organizations that rely on software supply chains and cloud-native development environments.

Picture of m00s3c

m00s3c

Moose (@m00s3c) is the author of BreachNews, focusing on data breach intelligence, dark web monitoring, and threat analysis. His work involves analyzing breach claims, reviewing leaked datasets, and tracking threat actor activity to provide clear, factual reporting.

Latest News

Newsletter signup

Get the latest data breach and security news.

Please wait...

Thank you for signing up!

BREACHNEWS.COM/SUPPORT/

Support Independent News.

Help support breach monitoring, investigations, infrastructure, and reporting.

Support the site
INTEL.BREACHNEWS.COM

Live Cyber
Threat Map

Explore live cyber activity, recent breach reports, KEV alerts, and public threat feeds from a single interactive dashboard.

Launch Threat Map