Also Known As: PCPcat, ShellForce, DeadCatx3, PersyPCP, CanisterWorm
First Observed: September 2025
Primary Operations: Supply chain compromise, credential theft, ransomware staging, cryptomining, destructive wiping
Motivation: Financially motivated with possible geopolitical dimensions
Overview
TeamPCP emerged as a cloud-native threat actor in late 2025 and rapidly escalated into one of the most disruptive supply chain operators ever documented. In the span of 8 days between March 19 and March 27, 2026, the group compromised 4 widely used open source tools, Aqua Security’s Trivy vulnerability scanner, Checkmarx KICS, the LiteLLM AI gateway, and the Telnyx Python SDK, injecting credential-harvesting malware into CI/CD pipelines across potentially thousands of organizations worldwide. Confirmed victims include the European Commission, AI recruiting platform Mercor, and Cisco, among dozens of others publicly claimed.
Security firm Flare profiled the group in January 2026 as a financially motivated actor with a distinctive focus on exposed control planes rather than endpoint exploitation. Azure environments accounted for 61% of their compromised servers, AWS for 36%. Before March 2026, TeamPCP was disruptive but not exceptional. After it, they became one of the most studied threat actors in recent memory.
Origins and Early Operations
TeamPCP’s documented activity dates to at least September 2025. Early operations focused on automated scanning for exposed Docker Remote API endpoints, Kubernetes API servers and kubelets, Ray dashboards, and Redis instances. Once access was obtained, compromised systems were folded into a distributed network used for proxying traffic, conducting further scans, hosting command and control infrastructure, and generating revenue through ransomware deployment and cryptomining.
Early geographic targeting included the United Arab Emirates, Canada, South Korea, Serbia, the United States, and Vietnam, reflecting opportunistic exploitation of exposed infrastructure rather than politically motivated campaigns. Industry targeting in this phase concentrated on banking, financial services and insurance, consumer goods, and professional services sectors.
In December 2025, the group gained notoriety through the React2Shell campaign, exploiting CVE-2025-55182 to achieve remote code execution against vulnerable cloud endpoints. A consistent detection artifact from that campaign was the use of port 666 for nearly all exploitation operations. The group maintained Telegram channels, an onion site, and posted publicly under @pcpcats on X.
Early Tooling
Before pivoting to supply chain operations, TeamPCP’s toolkit centered on 4 primary components. FRP, or Fast Reverse Proxy, was used to create reverse proxy tunnels providing persistent remote access to compromised systems. Sliver, an open source cross-platform adversary simulation and command and control framework, enabled encrypted C2 communications over mutual TLS, WireGuard, HTTP, and DNS using dynamically compiled implants with unique certificates to enhance stealth. XMRig, the open source Monero mining application, was deployed on compromised hosts to mine cryptocurrency using victim compute resources. The group also made extensive use of standard command line and scripting environments to execute payloads, download tools, and conduct reconnaissance.
The March 2026 Supply Chain Campaign
The March campaign was not spontaneous. TeamPCP achieved initial access to Aqua Security’s GitHub service account on February 28, 2026, nearly 3 weeks before the public attack began. A first incomplete breach in early March exfiltrated credentials that were not fully rotated, giving the group persistent access. On March 19, they leveraged a personal access token stolen by exploiting a misconfigured pull_request_target workflow in Trivy’s GitHub Actions to push malicious commits to 76 of 77 Trivy GitHub Action version tags. Every CI/CD pipeline referencing those tags immediately began executing the attacker’s code on its next run.
The cascade that followed was methodical and rapid. Using credentials harvested from Trivy-connected pipelines, the group compromised Checkmarx KICS on March 23, LiteLLM on March 24, and the Telnyx Python SDK on March 27, a new target every 1 to 3 days. Each compromise used credentials stolen in the previous one, creating a self-feeding chain through 5 major ecosystems: GitHub Actions, Docker Hub, PyPI, NPM, and OpenVSX.
The malware payload, known as the TeamPCP Cloud Stealer and tracked under CVE-2026-33634, scraped CI/CD runner memory for secrets, harvested SSH keys, cloud credentials, and Kubernetes configurations, encrypted the data using AES-256 with RSA-4096, and exfiltrated it as a compressed archive named tpcp.tar.gz to attacker-controlled infrastructure. The LiteLLM payload used a particularly effective persistence mechanism, a Python .pth file named litellm_init.pth that auto-executes on every Python interpreter invocation, meaning any python, pip, or pytest command would trigger the credential stealer even after the malicious package was removed. By the time PyPI quarantined the malicious LiteLLM versions 1.82.7 and 1.82.8 roughly 3 hours after publication, LiteLLM’s 3.6 million daily downloads had already done the damage.
CanisterWorm and Novel Infrastructure
TeamPCP’s self-propagating npm worm, CanisterWorm, represents one of the more technically innovative components of the campaign. Given a single stolen npm publishing token, CanisterWorm enumerated every package within that token’s scope, incremented version numbers, and inserted malicious code into new releases in under 60 seconds per token. More than 50 npm packages were infected before automated monitoring flagged the activity.
CanisterWorm’s command and control infrastructure is built on Internet Computer Protocol blockchain canisters, a decentralized architecture that makes conventional domain takedowns impossible. The ICP canister at tdtqy-oyaaa-aaaae-af2dq-cai[.]raw[.]icp0[.]io persists as long as its operators continue paying virtual currency fees to keep it online. SANS instructor Kenneth Hartman described it as the first documented use of decentralized blockchain infrastructure for C2 in the wild. The group also used the GitHub Releases API as a fallback data exfiltration channel, creating repositories named tpcp-docs in victim GitHub organizations. Persistent malware components were disguised as a legitimate PostgreSQL monitoring service named pgmonitor, with files dropped to /tmp/pglog.
The Iran Wiper and Geopolitical Dimensions
On March 22, TeamPCP added a destructive payload to CanisterWorm that introduced a geopolitical targeting dimension not previously observed from the group. The kamikaze.sh script fingerprints the runtime environment and branches based on 2 conditions: whether the system is running Kubernetes, and whether the system timezone is set to Asia/Tehran or the locale is Farsi. Iranian Kubernetes clusters receive a privileged DaemonSet named host-provisioner-iran that mounts the host root filesystem and deletes everything before forcing a reboot. Non-Kubernetes Iranian hosts receive rm -rf / --no-preserve-root. Non-Iranian systems receive the standard CanisterWorm backdoor.
Whether this reflects ideological alignment, a contracted capability, or an attempt to attract attention remains unclear. Security researcher Charlie Eriksen of Aikido noted that the malicious canister was intermittently taken down and replaced with a Rick Roll video, suggesting possible instability or internal disorganization. Recorded Future analyst Allan Liska assessed TeamPCP as primarily financially motivated, with the geopolitical component being difficult to verify. A representative associated with the group also claimed publicly that Anthropic’s Claude was used to generate malware components, a claim that has not been independently verified.
Ransomware Pivot and Criminal Partnerships
Following the supply chain campaign, TeamPCP announced a partnership with Vect, a new ransomware-as-a-service operation, through a BreachForums post that distributed Vect affiliate keys to the forum’s registered membership. The arrangement positions TeamPCP as an initial access broker, providing stolen credentials from the campaign’s harvest while Vect handles encryption, extortion, and negotiation. Security researchers confirmed at least 1 Vect ransomware deployment using TeamPCP-sourced credentials as of late March 2026. The group has also been linked to CipherForce, another ransomware operation that has published victim data on its leak site referencing TeamPCP-sourced access.
LAPSUS$ has publicly claimed breaches of multiple organizations including Mercor and AstraZeneca using credentials described as TeamPCP-sourced. Researchers note that the Lapsus$ name is now used by multiple unrelated actors, and no connection to original Lapsus$ members has been established. AstraZeneca had not confirmed or denied the claim as of March 30.
Confirmed and Claimed Victims
TeamPCP publicly claimed at least 16 organizations as of late March 2026. Confirmed victims with public disclosures include the European Commission, whose AWS environment was breached on March 10 using credentials stolen in the Trivy attack and whose data was subsequently published by ShinyHunters; Mercor, the AI training data platform serving OpenAI, Anthropic, and Meta; and Cisco, whose source code was stolen through the same supply chain chain. LAPSUS$ has additionally claimed AstraZeneca using TeamPCP-sourced access, a claim AstraZeneca had not confirmed or denied as of March 30.
Indicators of Compromise
Organizations that ran CI/CD pipelines referencing Trivy, Checkmarx KICS, LiteLLM versions 1.82.7 or 1.82.8, or Telnyx SDK versions 4.87.1 or 4.87.2 between March 19 and March 27 should assume credential exposure. Key indicators include the presence of a tpcp-docs repository in GitHub organization accounts, the litellm_init.pth file in Python site-packages directories, outbound encrypted POST requests to scan.aquasecurtiy[.]org or checkmarx[.]zone, and connections to the ICP C2 canister at tdtqy-oyaaa-aaaae-af2dq-cai[.]raw[.]icp0[.]io. The malicious Trivy Docker images were tagged 0.69.4, 0.69.5, and 0.69.6. The exfiltration destination IP was 45.148.10.212. All secrets accessible to CI runners between March 19 and March 27 should be treated as compromised and rotated immediately.
MITRE ATT&CK Techniques
T1190 — Exploit Public-Facing Application: TeamPCP exploits internet-facing applications including Docker APIs, Kubernetes control planes, Ray dashboards, and Redis instances with weak access controls or misconfigurations to gain initial access to cloud environments.
T1133 — External Remote Services: The group leverages externally accessible services including remote management interfaces and container environments to gain initial access and maintain persistence across compromised infrastructure.
T1195.001 — Supply Chain Compromise: Compromise of Software Dependencies and Development Tools: The March 2026 campaign injected malicious payloads directly into trusted open source packages including Trivy, KICS, LiteLLM, and Telnyx, poisoning CI/CD pipelines at scale.
T1053.003 — Cron: The group abuses cron schedulers on Unix and Linux systems to execute malicious tasks at startup or on a scheduled basis, maintaining persistent execution across compromised hosts.
T1059 — Command and Scripting Interpreter: Command line and scripting environments are used to execute payloads, download tools, perform system reconnaissance, and enable remote execution across Linux, Windows, and containerized environments.
T1609 — Container Administration Command: TeamPCP exploits Docker daemons and Kubernetes APIs to execute commands within containers, deploy malicious workloads, and pivot laterally across container environments.
T1610 — Deploy Container: The group deploys privileged containers with host filesystem access to achieve full node compromise, particularly during the CanisterWorm Kubernetes wiper operations targeting Iranian infrastructure.
T1525 — Implant Internal Image: Malicious code was embedded directly into Trivy Docker images tagged 0.69.4 through 0.69.6, ensuring persistence and reinfection through trusted container registries.
T1552.001 — Credentials in Files: The TeamPCP Cloud Stealer specifically targets credential files including SSH keys, cloud provider configuration files, Kubernetes config files, and environment variables storing API keys and tokens.
T1041 — Exfiltration Over C2 Channel: Harvested credentials are encrypted using AES-256 with RSA-4096 and exfiltrated as compressed archives to attacker-controlled infrastructure, with the GitHub Releases API used as a fallback exfiltration channel.
Current Threat Assessment
TeamPCP has paused new supply chain compromises as of late March 2026, consistent with a shift toward monetizing the credentials already harvested. The Vect and CipherForce partnerships suggest the group’s next phase will involve ransomware deployments against organizations that have not yet discovered their exposure. Given the scale of the credential harvest and the number of downstream organizations potentially affected through compromised CI/CD pipelines, the full impact of the March campaign has not yet materialized. Security researchers expect a wave of extortion attempts in the weeks and months ahead as TeamPCP and its partners work through the access obtained during one of the most consequential supply chain campaigns ever documented.
