Also Known As: PCPcat, CanisterWorm
First Observed: September 2025
Primary Operations: Supply chain attacks, credential theft, cloud compromise, ransomware access brokerage, source code theft
Motivation: Financially motivated
Overview
TeamPCP is a financially motivated cybercrime group that emerged in 2025 and rapidly became one of the most disruptive supply chain threat actors currently operating. The group is best known for compromising trusted developer tools, CI/CD pipelines, cloud infrastructure, and internal repositories to steal credentials, source code, and sensitive enterprise data.
The group gained widespread attention after a March 2026 supply chain campaign compromised multiple major open source projects including Trivy, Checkmarx KICS, LiteLLM, and the Telnyx Python SDK. Security researchers linked the operation to large-scale credential theft affecting cloud providers, AI companies, enterprise GitHub organizations, and government environments.
Since then, TeamPCP has been connected to multiple alleged breaches, source code theft claims, ransomware partnerships, and attacks involving organizations tied to AI development, cloud computing, and developer infrastructure.
Recent BreachNews coverage
- Alleged TeamPCP sale of GitHub internal source code and private repositories
- Lightning AI repositories allegedly leaked following PyTorch Lightning supply chain incident
- OpenAI confirms internal breach linked to Mini Shai-Hulud supply chain attack
- TeamPCP claims sale of Mistral AI internal repositories and source code
- Bitwarden CLI compromised in TeamPCP supply chain attack targeting developer secrets
- TeamPCP and ShinyHunters named in European Commission breach affecting 30 EU entities
- TeamPCP supply chain attack hits Mercor exposing AI training secrets for OpenAI, Anthropic, and Meta
- Mini Shai-Hulud malware abuses trusted CI pipelines in expanding supply chain attack
Latest activity tracker
May 2026: Allegedly listed GitHub internal source code and 4,000 private repositories for sale
May 2026: Linked to OpenAI internal breach tied to Mini Shai-Hulud supply chain malware
May 2026: Claimed sale of Mistral AI repositories and internal source code
May 2026: Lightning AI repositories allegedly leaked following PyTorch Lightning compromise
April 2026: Bitwarden CLI supply chain compromise disclosed
April 2026: European Commission breach publicly linked to TeamPCP and ShinyHunters
April 2026: Mercor AI training platform compromised in supply chain attack
March 2026: Trivy, KICS, LiteLLM, and Telnyx ecosystem compromises triggered widespread credential theft across CI/CD environments
Origins and early activity
TeamPCP activity dates back to at least September 2025. Early operations focused on exposed Docker APIs, Kubernetes environments, Redis servers, Ray dashboards, and other poorly secured cloud infrastructure.
The group primarily targeted cloud-native environments rather than traditional corporate endpoints. Researchers observed TeamPCP compromising Linux servers, container orchestration platforms, CI/CD runners, and developer infrastructure to deploy cryptominers, credential stealers, reverse proxies, and ransomware staging tools.
Initial campaigns appeared financially motivated and opportunistic, with victims spanning the United States, Canada, South Korea, the UAE, and parts of Europe and Asia.
The March 2026 supply chain attacks
TeamPCP became a major cybersecurity story in March 2026 after compromising several widely used developer tools and software supply chain platforms.
The campaign began with unauthorized access to Aqua Security infrastructure connected to Trivy GitHub Actions workflows. Attackers reportedly abused exposed GitHub Actions tokens and insecure workflow configurations to inject malicious code into trusted repositories and releases.
From there, the operation spread rapidly across interconnected development ecosystems. Researchers later connected TeamPCP activity to compromises affecting:
- Trivy
- Checkmarx KICS
- LiteLLM
- Telnyx Python SDK
- Bitwarden CLI
- PyTorch Lightning ecosystems
The attacks targeted CI/CD pipelines and developer environments to harvest:
- GitHub tokens
- AWS credentials
- Kubernetes configuration files
- SSH keys
- API secrets
- Cloud access tokens
Security researchers described the campaign as one of the most significant supply chain incidents of 2026 due to the scale of downstream exposure created by trusted package compromises.
CanisterWorm and Mini Shai-Hulud
Researchers also linked TeamPCP activity to self-propagating malware strains including CanisterWorm and Mini Shai-Hulud.
CanisterWorm reportedly automated npm package compromise operations by validating stolen maintainer tokens, incrementing package versions, injecting malicious code, and republishing compromised packages under legitimate maintainer accounts.
Mini Shai-Hulud later expanded on similar techniques, targeting trusted CI/CD environments and developer pipelines to spread malware through software dependencies.
Researchers observed worm-like propagation behavior capable of moving rapidly through interconnected development ecosystems once a single maintainer credential was compromised.
Cloud and AI ecosystem targeting
Much of TeamPCP’s recent activity has centered around AI companies, cloud platforms, and developer infrastructure providers.
Publicly reported incidents and alleged claims tied to the group include:
- OpenAI
- Mistral AI
- Lightning AI
- Mercor
- GitHub
- Cisco
- European Commission cloud infrastructure
In several cases, the group allegedly attempted to sell internal repositories, source code, cloud credentials, and proprietary development data rather than deploying ransomware directly.
This shift suggests TeamPCP increasingly operates as both a supply chain threat actor and an access brokerage operation monetizing stolen development infrastructure.
Ransomware and criminal partnerships
Following the March 2026 supply chain campaign, TeamPCP activity increasingly overlapped with ransomware operations and extortion actors.
Security researchers observed connections between TeamPCP-sourced access and later extortion activity involving groups such as Vect and CipherForce. In several reported cases, stolen credentials and cloud access allegedly obtained during supply chain compromises were later used in ransomware staging operations.
The group has also been repeatedly linked to large-scale data theft and source code monetization rather than encryption-focused attacks alone.
Operational patterns
TeamPCP operations consistently focus on trusted developer infrastructure and cloud-native environments rather than conventional phishing-heavy intrusion chains.
Observed operational patterns include:
- Compromise of CI/CD pipelines
- Abuse of GitHub Actions workflows
- Malicious npm and PyPI package publishing
- Credential theft from cloud infrastructure
- Container and Kubernetes exploitation
- Source code theft and repository access
- Supply chain malware deployment
- Ransomware access brokerage
The group also appears highly focused on automation, allowing attacks to spread rapidly across interconnected package ecosystems and development environments.
Indicators associated with TeamPCP campaigns
Researchers have associated the following artifacts and malware families with TeamPCP-linked activity:
CanisterWormMini Shai-Huludtpcp.tar.gzlitellm_init.pthpgmonitortpcp-docsGitHub repositories
Organizations running affected CI/CD pipelines or compromised package versions during the March through May 2026 timeframe were advised by researchers to rotate all accessible secrets and review repository access logs for unauthorized activity.
MITRE ATT&CK techniques
T1195.001: Supply chain compromise through malicious package and dependency modification
T1552.001: Credential theft from files including cloud configs and SSH keys
T1609: Container administration abuse in Kubernetes and Docker environments
T1610: Deployment of malicious containers for persistence and lateral movement
T1041: Exfiltration of credentials and sensitive data over attacker-controlled infrastructure
T1059: Extensive use of scripting and command interpreters across Linux and cloud environments
Current threat assessment
TeamPCP remains one of the most closely watched supply chain threat actors currently operating due to its focus on trusted developer ecosystems and cloud-native infrastructure.
The group’s operations demonstrate how a single compromised maintainer account or CI/CD workflow can rapidly cascade across thousands of downstream environments.
Researchers continue monitoring for additional TeamPCP-linked compromises involving npm, PyPI, GitHub Actions, AI infrastructure providers, and enterprise cloud environments.
While many recent claims tied to the group remain unverified, TeamPCP’s repeated connection to confirmed supply chain incidents and credential theft campaigns has elevated the group into a major threat actor category for organizations relying heavily on cloud development pipelines.
