Dormant

TeamPCP Supply Chain Campaign

A multi-week, multi-ecosystem attack chain spanning GitHub Actions, Docker Hub, npm, PyPI, and OpenVSX. Impacted so far: Aqua's Trivy, Checkmarx KICS, and LiteLLM.

Last updated: 2026-04-07 09:30 UTC Reach me (tip? feedback?)

Loading summary...

Download JSON

Loading indicators...

Repository

HackingLZ/litellm_1.82.8_payload ↗

Full defanged 3-stage payload from LiteLLM 1.82.8. Includes orchestrator, collector, and persistence components with shared RSA 4096-bit public key (strongest attribution link across all TeamPCP payloads).

# Stage 1: Orchestrator (litellm_init.pth)
Auto-executes on Python startup via CPython T1546.018
50-minute polling interval to C2
"Bad Apple!!" anti-sandbox: returns youtube.com link

# Stage 2: Collector (proxy_server.py)
Credential sweeper: 50+ sensitive file paths
Cloud metadata (IMDS) theft
Kubernetes service account tokens

# Stage 3: Persistence (sysmon.py)
~/.config/systemd/user/sysmon.py
RSA-encrypted exfiltration bundles
      

Show details

Repository

nxb1t/litellm-1.82.7_sample ↗

Three payload variants from LiteLLM 1.82.7 with RC4 obfuscation. Demonstrates evolution of obfuscation techniques across versions.

# Variants included
litellm_init.pth (base64 + zlib)
proxy_server.py (RC4 encrypted strings)
sysmon.py (persistence backdoor)

# Key difference from 1.82.8
Uses checkmarx.zone C2 (shared with KICS)
Same RSA public key as 1.82.8
      

Show details

Repository

HackingLZ/telnyx_4.87.1_payload ↗

Defanged payload from Telnyx PyPI 4.87.1/4.87.2. WAV steganography delivery with platform-specific payloads for Windows and Linux/macOS.

# Delivery mechanism
WAV steganography: payloads hidden in audio frames
hangup.wav (Windows), ringtone.wav (Linux/macOS)

# Windows payload
XOR-decrypted executable dropped as msbuild.exe
Persistence via Startup folder

# Linux/macOS payload
Credential sweeper with AES-256-CBC + RSA-4096
Same RSA public key as LiteLLM payloads
      

Show details

External

MalwareBazaar: teampcp samples ↗

Community-submitted malware samples tagged with TeamPCP. Includes binaries, scripts, and payloads with downloadable samples and YARA rules.

Threat Actor

TeamPCP

Also known as PCPcat, Persy_PCP, ShellForce, CipherForce, and DeadCatx3. Emerged as a significant threat to cloud-native infrastructure in late 2025.

Self-attribution string "TeamPCP Cloud stealer" found in the trivy-action payload links this incident to the group.

Telegram: @Persy_PCP, @teampcp

View on Wiz Threat Center ↗

Targets

Cloud-Native Infrastructure

Docker APIs
Kubernetes clusters
GitHub Actions runners
Ray dashboards
Redis servers
CI/CD pipelines
    

TTPs

Common Techniques

# Initial Access
Supply chain poisoning (GitHub Actions, package registries)
Exposed service exploitation (Docker, K8s, Redis)

# Credential Harvesting
/proc/[pid]/mem memory scraping
Filesystem credential sweeping (50+ paths)
Cloud metadata service (IMDS) theft

# Exfiltration
Typosquatted domains
Cloudflare Tunnels (ephemeral C2)
GitHub dead drops (tpcp-docs repos)
ICP-hosted fallback infrastructure

# Objectives
Credential theft → lateral movement
Ransomware deployment
Cryptomining
Extortion
    

Source

Flare.io Analysis

"TeamPCP Cloud-Native Ransomware" — detailed analysis of the December 2025 worm-driven campaign targeting cloud infrastructure.

Source

Beelzebub Analysis

Next.js exploit campaign analysis — 59K compromises in 33 hours. Reveals Telegram handles and Singapore C2 infrastructure.

Loading threads...

The Official Soundtrack of the Trivy Supply Chain Attack

Every threat actor leaves fingerprints. TeamPCP left a playlist. Songs embedded in payloads, C2 infrastructure, and attack tooling.

Big City Life

Mattafix

scan.aquasecurtiy.org Primary C2

Thank You

Dido

ICP Fallback 03/22 14:45 UTC

God Is in the Rhythm

King Gizzard And The Lizard Wizard

ICP Fallback 03/22 15:20 UTC

Except Crime

YTCracker

ICP Fallback 03/22 15:57 UTC

Instant Message

Yung Innanet

ICP Fallback 03/22 19:27 UTC

Teardrop

Massive Attack

ICP Fallback 03/22 19:56 UTC

Drinking

boa

ICP Fallback 03/22 20:12 UTC

The Show Must Go On

Queen

checkmarx[.]zone/vsx 03/23 12:53 UTC

Bad Apple!!

Touhou (English Remaster)

checkmarx[.]zone 03/24 13:39 UTC

Mr. Trololo

Eduard Khil

nsa[.]cat Attacker VPS

01 / 10

Myth #1

"hackerbot-claw compromised Trivy"

Reality: hackerbot-claw is an automated penetration testing bot that scans GitHub for vulnerable projects—its user agent and behavioral patterns differ from the main attacker. MegaGame10418 is the actor who exploited the February 27 PwnRequest, exfiltrating the aqua-bot PAT. Aqua's official post-mortem confirms: "The user agent and behavioral patterns of hackerbot-claw are different than the other events inspected."

Myth #2

"Malicious commits landed in Trivy's main branch"

Reality: The imposter commits (1885610c, 70379aad) never merged into main. They exist in GitHub's object store due to cross-fork object sharing. The attack worked because a malicious tag (v0.69.4) was pushed that referenced these orphan commits—triggering CI/CD builds without any merge or review.

Myth #3

"GhostClaw is related to TeamPCP"

Reality: GhostClaw is a separate campaign with different TTPs and IOCs. TeamPCP uses tag hijacking and CI/CD exploitation; GhostClaw uses npm typosquatting and AI workflow hooks. Different infrastructure (registrars, C2 patterns), more social engineering-focused payloads (fake CLI installers with progress bars), and different persistence mechanisms (shell hooks, cron jobs vs. GitHub Actions). No shared IOCs or attribution overlap identified.