TeamPCP Supply Chain Campaign
A multi-week, multi-ecosystem attack chain spanning GitHub Actions, Docker Hub, npm, PyPI, OpenVSX, VS Code Marketplace, and Jenkins. Impacted so far: Aqua's Trivy, Checkmarx KICS, LiteLLM, Bitwarden, TanStack, Mistral AI, AntV (323 packages), Microsoft DurableTask, GitHub (~3,800 internal repos), Red Hat Cloud Services (32 packages), +more.
Payload Repositories
- litellm_1.82.8 — 3-stage payload w/ RSA-4096 key
- litellm_1.82.7 — RC4 obfuscation variants
- telnyx_4.87.1 — WAV steganography delivery
- MalwareBazaar — Community samples + YARA
TeamPCP
aka UNC6780 (GTIG), PCPcat, Persy_PCP, ShellForce, CipherForce, DeadCatx3
Hybrid threat actor functioning as botnet, access broker, data-leak crew, and cloud exploitation group. Emerged late 2025. Brokers access to LAPSUS$, UNC6240/ShinyHunters, and Vect Ransomware. Partnerships with xpl0itrs and BreachForums ecosystem.
External Analysis
- Flare.io — Dec 2025 worm campaign targeting cloud infrastructure
- Beelzebub — Next.js exploit campaign, 59K compromises in 33 hours
- Ransomware Interviews — "T" interview with TeamPCP member
Post-Compromise Analysis
Deep-dive research into TeamPCP's post-compromise activity—what happens after credentials are stolen from supply chain attacks.
Tracking TeamPCP: Investigating Post-Compromise Attacks Seen in the Wild
Analysis of how TeamPCP operationalizes stolen credentials from supply chain compromises (Trivy, KICS, LiteLLM, Telnyx) to compromise cloud environments.
Attack Stages
- Secret Validation — TruffleHog validates stolen AWS keys, Azure secrets, and SaaS tokens via live API calls
- Internal Discovery — Within 24 hours: IAM enumeration (users, roles, policies), compute (EC2, Lambda), storage (S3, RDS), and container infrastructure (ECS task definitions, cluster mapping)
- Code Execution — GitHub workflow abuse via stolen PATs; Nord Stream tool for malicious workflow creation; ECS Exec with SSM Agent for container access; workflow log deletion
- Data Exfiltration — Bulk repository cloning via git.clone; mass extraction from S3, Secrets Manager, and databases
Tools & Infrastructure
TruffleHog— Credential validationNord Stream— GitHub automationBoto3— AWS API interactions- Mullvad VPN & InterServer hosting for obfuscation
Detection Signals
Unusual enumeration (ListUsers, DescribeInstances), unexpected secret access patterns, mass clone operations, workflow log deletion, API calls from VPN providers.
Investigating Two Variants of the Trivy Supply Chain Compromise
Technical deep-dive comparing the GitHub Action vs. container binary variants of the Trivy compromise.
Variant 1: Trivy Action
- Shell script + embedded Python in
entrypoint.sh - Reads
/proc/PID/environfor runner secrets - Scrapes GitHub Actions runner memory for JSON secrets
- Filesystem harvester on self-hosted runners (SSH keys, cloud creds, K8s configs, wallet keys)
- AES-256-CBC encryption with RSA wrapping
- Fallback: creates public repos named
tpcp-docs - No persistence—single execution
Variant 2: Trivy Binary
- Malicious code compiled into Go binary (153MB ELF)
- Two embedded base64-encoded Python payloads
- Persistent backdoor via
sysmon.pysystemd service - Downloads second-stage from Internet Computer Protocol (ICP) blockchain C2
- Targets developer machines (non-CI environments)
- Persistence—50-minute polling cycle
Key IOCs
scan.aquasecurtiy[.]org
tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0[.]io
nsa[.]cat
Attacker IPs (from CloudTrail)
209.159.147.239— TruffleHog validation (NYC VPS)170.62.100.245— Cloud enumeration, S3 scanning (Kali)154.47.29.12— Org recon (Windows 11)103.75.11.59— Credential re-validation (macOS ARM)
Mitigation Recommendations
- Use OIDC federation instead of static IAM keys (minutes-long expiration vs. indefinite)
- Pin container images by digest hash rather than tags to prevent automatic redeployment
- Disable automatic container updates in production (Watchtower auto-deployed the compromised
aquasec/trivy:latest) - Apply least-privilege IAM policies scoped to specific resources and services
- Enable CloudTrail S3 data events for object-level visibility
The Official Soundtrack of the Trivy Supply Chain Attack
Every threat actor leaves fingerprints. TeamPCP left a playlist. Songs embedded in payloads, C2 infrastructure, and attack tooling.
hackerbot-claw is an automated penetration testing bot that scans GitHub for vulnerable projects—its user agent and behavioral patterns differ from the main attacker. MegaGame10418 is the actor who exploited the February 27 PwnRequest, exfiltrating the aqua-bot PAT. Aqua's official post-mortem confirms: "The user agent and behavioral patterns of hackerbot-claw are different than the other events inspected."
The imposter commits (1885610c, 70379aad) never merged into main. They exist in GitHub's object store due to cross-fork object sharing. The attack worked because a malicious tag (v0.69.4) was pushed that referenced these orphan commits—triggering CI/CD builds without any merge or review.
GhostClaw is a separate campaign with different TTPs and IOCs. TeamPCP uses tag hijacking and CI/CD exploitation; GhostClaw uses npm typosquatting and AI workflow hooks. Different infrastructure (registrars, C2 patterns), more social engineering-focused payloads (fake CLI installers with progress bars), and different persistence mechanisms (shell hooks, cron jobs vs. GitHub Actions). No shared IOCs or attribution overlap identified.
TeamPCP's campaigns were inspired by and named after the Dune-themed Shai-Hulud malware, but they are distinct operations. The original Shai-Hulud worm preceded TeamPCP's activity. TeamPCP adopted the branding ("Mini Shai-Hulud") for their own campaigns, creating attribution confusion.
The "Claude Code source leak" was not a TeamPCP operation. It resulted from a bundling mistake where JavaScript source was inadvertently included in a release. This was a build/packaging error, not a supply chain attack or breach.
TeamPCP did not forge or cryptographically bypass SLSA attestations. They achieved RCE within the release pipeline itself (via cache poisoning and pull_request_target exploitation), meaning the attestations were legitimately generated for malicious code. The build system was compromised, not the attestation cryptography. Additionally, this attack vector was already documented—see slsa-framework/slsa#1235 (Nov 2024).
No shared infrastructure or hard evidence links Megalodon to TeamPCP. Some theorized Megalodon could have been the source of stolen credentials used in TeamPCP attacks, but infostealer logs as a credential source is a competing—and more plausible—explanation.
A PureHVNC campaign was briefly misattributed to TeamPCP based on superficial similarities. OpenSourceMalware's analysis found the overlap limited to generic malware behaviors shared by thousands of campaigns. Strong negative indicators—no shared cryptographic keys, no infrastructure overlap, no supply chain delivery, no shared tooling, no TeamPCP branding—make attribution untenable. Most likely a commodity cybercrime operator who purchased PureHVNC and customized delivery with a bespoke PowerShell loader.
The ru_* locale exit condition is a common malware trope, not a reliable attribution indicator. Antiy Labs analysis offers a good breakdown of how TeamPCP deliberately mixes contradictory geopolitical markers: Russian folklore vocabulary with English anomalies ("RICHARD", "FIREBIRD"), Iranian/Israeli targeting in the same function, and destructive "roulette" logic that contradicts their profit motive. This is deliberate false-flag pollution, not authentic origin markers.