Active Investigation

TeamPCP Supply Chain Campaign

A multi-week, multi-ecosystem attack chain spanning GitHub Actions, Docker Hub, npm, PyPI, and OpenVSX. Impacted so far: Aqua's Trivy, Checkmarx KICS, and LiteLLM.

Last updated: 2026-04-01 16:32 UTC Reach me (tip? feedback?)

Loading summary...

Thread 01

How did they gain access to push the malicious v0.69.4 tag?

The attacker was able to push a tag to aquasecurity/trivy pointing to a malicious commit. This requires write access to the repository. Was this via a compromised PAT, GitHub App, or deploy key?

Resolution: Aqua Security confirmed the attack stemmed from incomplete containment of the March 1, 2026 incident. Credential rotation "wasn't atomic and attackers may have been privy to refreshed tokens."

Official disclosure ↗

Resolved

Thread 02

Was aqua-bot the initial access vector, or only compromised via /trivy?

The aqua-bot service account was used for lateral movement to tfsec, traceeshark, and trivy-action. However, it's unclear whether aqua-bot credentials were the initial compromise, or if they were harvested from the trivy repository's secrets after the v0.69.4 tag push triggered workflows.

Resolution: The official disclosure confirms incomplete credential rotation from the first incident allowed attackers to capture refreshed tokens, including aqua-bot credentials.

Official disclosure ↗

Resolved

Thread 03

What was the v0.70.0 trivy attacker tag?

At 17:51:17 UTC on March 19, a v0.70.0 tag was deleted. The commit (9dbb34d3ec0f) was authored by aqua-bot on March 16 — 3 days earlier — with message "Updates", modifying cmd/trivy/main.go, pkg/github/auth.go, pkg/github/repowrite.go, pkg/github/runner.go. This suggests aqua-bot compromise may predate March 19.

View commit (via Adnan Khan) ↗

Unresolved

Thread 04

What was the setup-trivy poisoning?

All 7 tags (v0.2.0-v0.2.6) were force-pushed to malicious commits. Commit 8afa9b9f spoofed contributor "thara" (Tomochika Hara). Message: "Pin Trivy install script checkout to a specific commit (#28)". Spoofed date: 2026-01-15. Exposure window: ~4 hours (17:43-21:44 UTC Mar 19).

Malicious commit ↗ Victim example (grafana) ↗

Resolved

Thread 05

Is DarkSeek3r related?

A GitHub user "DarkSeek3r" (user ID 266895321) was created at 2026-03-10T01:44:23. Their only public activity was forking aquasecurity/trivy and actions/checkout — the exact repositories used in this attack. Update: Account renamed to octocommit on Mar 10 — still active, not deleted.

Improved by feedback · Paul McCarty View Gist (bored-engineer) ↗

Unresolved

Download JSON

Loading indicators...

Repository

HackingLZ/litellm_1.82.8_payload ↗

Full defanged 3-stage payload from LiteLLM 1.82.8. Includes orchestrator, collector, and persistence components with shared RSA 4096-bit public key (strongest attribution link across all TeamPCP payloads).

# Stage 1: Orchestrator (litellm_init.pth)
Auto-executes on Python startup via CPython T1546.018
50-minute polling interval to C2
"Bad Apple!!" anti-sandbox: returns youtube.com link

# Stage 2: Collector (proxy_server.py)
Credential sweeper: 50+ sensitive file paths
Cloud metadata (IMDS) theft
Kubernetes service account tokens

# Stage 3: Persistence (sysmon.py)
~/.config/systemd/user/sysmon.py
RSA-encrypted exfiltration bundles
            

Show details

Repository

nxb1t/litellm-1.82.7_sample ↗

Three payload variants from LiteLLM 1.82.7 with RC4 obfuscation. Demonstrates evolution of obfuscation techniques across versions.

# Variants included
litellm_init.pth (base64 + zlib)
proxy_server.py (RC4 encrypted strings)
sysmon.py (persistence backdoor)

# Key difference from 1.82.8
Uses checkmarx.zone C2 (shared with KICS)
Same RSA public key as 1.82.8
            

Show details

Repository

HackingLZ/telnyx_4.87.1_payload ↗

Defanged payload from Telnyx PyPI 4.87.1/4.87.2. WAV steganography delivery with platform-specific payloads for Windows and Linux/macOS.

# Delivery mechanism
WAV steganography: payloads hidden in audio frames
hangup.wav (Windows), ringtone.wav (Linux/macOS)

# Windows payload
XOR-decrypted executable dropped as msbuild.exe
Persistence via Startup folder

# Linux/macOS payload
Credential sweeper with AES-256-CBC + RSA-4096
Same RSA public key as LiteLLM payloads
            

Show details

External

MalwareBazaar: teampcp samples ↗

Community-submitted malware samples tagged with TeamPCP. Includes binaries, scripts, and payloads with downloadable samples and YARA rules.

Threat Actor

TeamPCP

Also known as PCPcat, Persy_PCP, ShellForce, CipherForce, and DeadCatx3. Emerged as a significant threat to cloud-native infrastructure in late 2025.

Self-attribution string "TeamPCP Cloud stealer" found in the trivy-action payload links this incident to the group.

Telegram: @Persy_PCP, @teampcp

View on Wiz Threat Center ↗

Targets

Cloud-Native Infrastructure

Docker APIs
Kubernetes clusters
GitHub Actions runners
Ray dashboards
Redis servers
CI/CD pipelines
          

TTPs

Common Techniques

# Initial Access
Supply chain poisoning (GitHub Actions, package registries)
Exposed service exploitation (Docker, K8s, Redis)

# Credential Harvesting
/proc/[pid]/mem memory scraping
Filesystem credential sweeping (50+ paths)
Cloud metadata service (IMDS) theft

# Exfiltration
Typosquatted domains
Cloudflare Tunnels (ephemeral C2)
GitHub dead drops (tpcp-docs repos)
ICP-hosted fallback infrastructure

# Objectives
Credential theft → lateral movement
Ransomware deployment
Cryptomining
Extortion
          

Source

Flare.io Analysis

"TeamPCP Cloud-Native Ransomware" — detailed analysis of the December 2025 worm-driven campaign targeting cloud infrastructure.

Source

Beelzebub Analysis

Next.js exploit campaign analysis — 59K compromises in 33 hours. Reveals Telegram handles and Singapore C2 infrastructure.

The Official Soundtrack of the Trivy Supply Chain Attack

Every threat actor leaves fingerprints. TeamPCP left a playlist. Songs embedded in payloads, C2 infrastructure, and attack tooling.

Big City Life

Mattafix

scan.aquasecurtiy.org Primary C2

Thank You

Dido

ICP Fallback 03/22 14:45 UTC

God Is in the Rhythm

King Gizzard And The Lizard Wizard

ICP Fallback 03/22 15:20 UTC

Except Crime

YTCracker

ICP Fallback 03/22 15:57 UTC

Instant Message

Yung Innanet

ICP Fallback 03/22 19:27 UTC

Teardrop

Massive Attack

ICP Fallback 03/22 19:56 UTC

Drinking

bôa

ICP Fallback 03/22 20:12 UTC

The Show Must Go On

Queen

checkmarx[.]zone/vsx 03/23 12:53 UTC

Bad Apple!!

Touhou (English Remaster)

checkmarx[.]zone 03/24 13:39 UTC

Mr. Trololo

Eduard Khil

nsa[.]cat Attacker VPS

01 / 10

Myth #1

"hackerbot-claw compromised Trivy"

Reality: hackerbot-claw is an automated penetration testing bot that scans GitHub for vulnerable projects—its user agent and behavioral patterns differ from the main attacker. MegaGame10418 is the actor who exploited the February 27 PwnRequest, exfiltrating the aqua-bot PAT. Aqua's official post-mortem confirms: "The user agent and behavioral patterns of hackerbot-claw are different than the other events inspected."

Myth #2

"Malicious commits landed in Trivy's main branch"

Reality: The imposter commits (1885610c, 70379aad) never merged into main. They exist in GitHub's object store due to cross-fork object sharing. The attack worked because a malicious tag (v0.69.4) was pushed that referenced these orphan commits—triggering CI/CD builds without any merge or review.

Myth #3

"GhostClaw is related to TeamPCP"

Reality: GhostClaw is a separate campaign with different TTPs and IOCs. TeamPCP uses tag hijacking and CI/CD exploitation; GhostClaw uses npm typosquatting and AI workflow hooks. Different infrastructure (registrars, C2 patterns), more social engineering-focused payloads (fake CLI installers with progress bars), and different persistence mechanisms (shell hooks, cron jobs vs. GitHub Actions). No shared IOCs or attribution overlap identified.