Heating Up

TeamPCP Supply Chain Campaign

A multi-week, multi-ecosystem attack chain spanning GitHub Actions, Docker Hub, npm, PyPI, OpenVSX, VS Code Marketplace, and Jenkins. Impacted so far: Aqua's Trivy, Checkmarx KICS, LiteLLM, Bitwarden, TanStack, Mistral AI, AntV (323 packages), Microsoft DurableTask, GitHub (~3,800 internal repos), +more.

Last updated: 2026-05-19 20:00 UTC Reach me (tip? feedback?)

Loading timeline...

Download JSON

Loading indicators...

Payload Repositories

litellm_1.82.8 — 3-stage payload w/ RSA-4096 key
litellm_1.82.7 — RC4 obfuscation variants
telnyx_4.87.1 — WAV steganography delivery
MalwareBazaar — Community samples + YARA

TeamPCP

aka UNC6780 (GTIG), PCPcat, Persy_PCP, ShellForce, CipherForce, DeadCatx3

Hybrid threat actor functioning as botnet, access broker, data-leak crew, and cloud exploitation group. Emerged late 2025. Brokers access to LAPSUS$, UNC6240/ShinyHunters, and Vect Ransomware. Partnerships with xpl0itrs and BreachForums ecosystem.

@Persy_PCP @teampcp ✦ Wiz Threat Center

External Analysis

Flare.io — Dec 2025 worm campaign targeting cloud infrastructure
Beelzebub — Next.js exploit campaign, 59K compromises in 33 hours
Ransomware Interviews — "T" interview with TeamPCP member

The Official Soundtrack of the Trivy Supply Chain Attack

Every threat actor leaves fingerprints. TeamPCP left a playlist. Songs embedded in payloads, C2 infrastructure, and attack tooling.

Big City Life

Mattafix

scan.aquasecurtiy.org Primary C2

Thank You

Dido

ICP Fallback 03/22 14:45 UTC

God Is in the Rhythm

King Gizzard And The Lizard Wizard

ICP Fallback 03/22 15:20 UTC

Except Crime

YTCracker

ICP Fallback 03/22 15:57 UTC

Instant Message

Yung Innanet

ICP Fallback 03/22 19:27 UTC

Teardrop

Massive Attack

ICP Fallback 03/22 19:56 UTC

Drinking

boa

ICP Fallback 03/22 20:12 UTC

The Show Must Go On

Queen

checkmarx[.]zone/vsx 03/23 12:53 UTC

Bad Apple!!

Touhou (English Remaster)

checkmarx[.]zone 03/24 13:39 UTC

Mr. Trololo

Eduard Khil

nsa[.]cat Attacker VPS

Hello

Martin Solveig & Dragonette

git-tanstack[.]com Typosquat C2

Snowblind

Black Sabbath

t.m-kosche[.]com ANTV Campaign

Uebok (Gotta Run)

Apashe ft. Instasamka

check.git-service[.]com DurableTask C2

01 / 13

Myth #1

"hackerbot-claw compromised Trivy"

Reality: hackerbot-claw is an automated penetration testing bot that scans GitHub for vulnerable projects—its user agent and behavioral patterns differ from the main attacker. MegaGame10418 is the actor who exploited the February 27 PwnRequest, exfiltrating the aqua-bot PAT. Aqua's official post-mortem confirms: "The user agent and behavioral patterns of hackerbot-claw are different than the other events inspected."

Myth #2

"Malicious commits landed in Trivy's main branch"

Reality: The imposter commits (1885610c, 70379aad) never merged into main. They exist in GitHub's object store due to cross-fork object sharing. The attack worked because a malicious tag (v0.69.4) was pushed that referenced these orphan commits—triggering CI/CD builds without any merge or review.

Myth #3

"GhostClaw is related to TeamPCP"

Reality: GhostClaw is a separate campaign with different TTPs and IOCs. TeamPCP uses tag hijacking and CI/CD exploitation; GhostClaw uses npm typosquatting and AI workflow hooks. Different infrastructure (registrars, C2 patterns), more social engineering-focused payloads (fake CLI installers with progress bars), and different persistence mechanisms (shell hooks, cron jobs vs. GitHub Actions). No shared IOCs or attribution overlap identified.