Dark Web Profile: TeamPCP

TeamPCP is a financially motivated cybercriminal group that executed the most consequential open-source supply chain attack campaign of 2026, compromising security tools trusted by hundreds of thousands of organizations. Operating across five software ecosystems, including GitHub Actions, Docker Hub, npm, PyPI, and OpenVSX, the group weaponized the very vulnerability scanners designed to protect CI/CD pipelines, turning defenders’ tools into attack vectors. Over 1,000 SaaS environments were impacted, with roughly 500,000 credentials stolen and 300+ GB of data exfiltrated.

First documented in late 2025 as a cloud-native exploitation crew targeting exposed Docker APIs and Kubernetes clusters, TeamPCP escalated dramatically in March 2026 with a cascading supply chain campaign that compromised Aqua Security’s Trivy, Checkmarx KICS, LiteLLM, Telnyx, Palo Alto Networks, and 66+ npm packages, ultimately breaching the European Commission’s AWS environment.

The group introduced several novel techniques to the threat landscape, including the first documented abuse of the Internet Computer Protocol (ICP) blockchain for command-and-control infrastructure and a self-propagating npm worm capable of infecting victim-maintained packages without human intervention.

Who is TeamPCP

TeamPCP is a financially motivated, cloud-native cybercrime group first observed in November 2025. In a Forbes interview, a spokesperson using the handle T00001B described the group as “the group is a loose-knit group of teenagers and young adults who couldn’t find paying work.” Researchers classify the group as a cybercrime operation rather than a state-sponsored APT or ideological hacktivist collective, though the group has demonstrated destructive capabilities with geopolitical undertones.

The group operates under five confirmed aliases: PCPcat, the name of their first documented campaign; ShellForce, their data leak publication persona; DeadCatx3, a GitHub account hosting attacker tooling; CipherForce, their proprietary ransomware operation; and Persy_PCP, an earlier Telegram identity. They also maintain the @pcpcats handle on X.

Their malware consistently self-identifies through an embedded string, “TeamPCP Cloud stealer,” which has become one of the clearest attribution markers across all campaign phases. Their Telegram channel makes the alias connections explicit, with members stating: “you may already know us as TeamPCP or Shellforce… CipherForce is a newer project we are starting to find affiliates.”

The group maintains an active Telegram presence across two channels, @team_pcp and @Persy_PCP. The primary channel grew from roughly 700 subscribers in early February 2026 to over 1,180 by late March, driven largely by media coverage of their supply chain operations. Messages from March 25, 2026 show members discussing leadership transition, working through large stores of stolen credentials, and stating explicit intent to continue targeting security tools and open-source projects in the months ahead.

TeamPCP has forged a complex web of criminal partnerships. On BreachForums, the group formally announced a partnership with the Vect Ransomware Group, an emerging Russian-speaking ransomware-as-a-service operation offering 80 to 88 percent profit shares to affiliates. The post explicitly named TeamPCP as the operators behind the Trivy and LiteLLM supply chain compromises and stated that Vect would deploy ransomware across every affected organization. Simultaneously, the group runs CipherForce as a parallel ransomware operation, creating a dual-track extortion model.

Taken together, the CipherForce operation, the Vect partnership, and the Lapsus$ collaboration indicate that TeamPCP does not operate as a standalone actor. The group functions as an access generation engine feeding into multiple ransomware ecosystems simultaneously.

What Are TeamPCP’s Techniques?

Initial Access

TeamPCP’s entry point in the March 2026 campaign was a Pwn Request vulnerability in Trivy’s CI/CD infrastructure, exploited on February 27 by a threat actor identified as MegaGame10418. The attack abused a vulnerable pull_request_target workflow to exfiltrate the aqua-bot Personal Access Token. When Aqua Security rotated credentials, the rotation was incomplete. TeamPCP used the residual access on March 19 to push a malicious v0.69.4 tag to the Trivy repository, an incident tracked as CVE-2026-33634 (CVSS 9.4), using imposter commits — a technique that spoofs trusted contributor identities with backdated timestamps to make malicious changes appear routine on inspection.

The commits fetched malicious Go source files from the typosquatted C2 domain scan.aquasecurtiy[.]org and fed them into the build pipeline, turning Trivy’s own release process into a malware distribution channel. The poisoned release distributed automatically through GitHub Releases, Docker Hub, AWS ECR, and GitHub Container Registry, reaching thousands of downstream pipelines within a four-hour exposure window.

This was not the group’s first large-scale initial access operation. In December 2025, TeamPCP exploited CVE-2025-29927 (CVSS 10.0), a critical React2Shell vulnerability in Next.js, to compromise over 59,000 servers in under 48 hours during Operation PCPcat.

Credential Harvesting

The malicious GitHub Actions payload operated on a collect, encrypt, and exfiltrate model. The collection stage scraped process memory from GitHub Actions Runner.Worker processes by reading /proc/[pid]/mem and searching for patterns matching secret values. In parallel, it swept over 50 filesystem paths for SSH keys, AWS, GCP, and Azure credentials, Kubernetes tokens, Docker configuration files, .env files, database connection strings, and cryptocurrency wallet data.

Stolen material was bundled into tpcp.tar.gz using AES-256-CBC symmetric encryption with RSA-4096 key exchange before exfiltration. The runner itself became the harvesting mechanism. TeamPCP did not need to breach each target separately. Every pipeline that executed the compromised action collected and packaged its own secrets automatically.

Lateral Movement and Propagation

Each phase of the campaign was funded by credentials stolen in the previous one. The compromised aqua-bot token enabled injection into additional Aqua repositories. Harvested npm publish tokens fueled CanisterWorm, which resolved token owner identities via the npm API, enumerated all packages the compromised identity could publish to, bumped patch version numbers, and pushed malicious updates to 28 packages in under 60 seconds.

Stolen PyPI tokens enabled the LiteLLM compromise. Stolen Checkmarx CI credentials enabled the pivot to checkmarx/ast-github-action and checkmarx/kics-github-action. prop.py additionally harvested ~/.ssh/id_* keys and auth.log entries to enable SSH-based spread across local /24 subnets.

Persistence

On compromised hosts, TeamPCP installed systemd services named pgmon.service, pgmonitor.service, or internal-monitor.service with Restart=always, masquerading as PostgreSQL monitoring tooling. On Kubernetes clusters, the kamikaze.sh payload deployed privileged DaemonSets with hostPath: / mounts in the kube-system namespace. Standard backdoor deployments used the host-provisioner-std DaemonSet name. Iranian-targeted nodes received host-provisioner-iran instead.

Defense Evasion

The kamikaze.sh payload iterated through five versions in under three hours on March 22, with each version introducing new evasion capabilities. Version 3.3 introduced the most technically notable technique: Python payloads embedded as base64-encoded data inside valid WAV audio files. The files carried authentic RIFF headers and presented as legitimate 8-bit mono audio at 44100 Hz to file type detection systems. Extraction required only Python’s native wave module. The technique bypassed .py file extension filters and evaded string-based static analysis signatures without any custom tooling.

Exfiltration

TeamPCP built redundancy into every exfiltration path. The primary channel used attacker-controlled typosquatted domains and Cloudflare Tunnel infrastructure. If primary exfiltration failed, the malware created a repository named tpcp-docs inside the victim’s own GitHub organization and uploaded the encrypted archive as a release asset using the victim’s GITHUB_TOKEN. The Checkmarx phase used the same fallback logic under the docs-tpcp naming variant. Using the victim’s own infrastructure reduced the suspicion profile of outbound traffic and improved resilience against C2 takedowns.

Timeline of TeamPCP Attacks in the Supply Chain Campaign

The March 2026 campaign did not begin with a single dramatic breach. It built gradually, with each phase unlocking the next. At its core, this was a cascading trust attack. TeamPCP did not need a fresh exploit at each step. Instead, the group harvested secrets from every environment that executed a compromised action or artifact, then reused those credentials to move into adjacent repositories, registries, and developer tooling.

What started as an incomplete credential rotation after a February 27 Pwn Request attack became a five-day operation that crossed GitHub Actions, Docker Hub, npm, PyPI, OpenVSX, and two separate vendor ecosystems. The timeline below shows how each step fed into the one that followed.

Other confirmed victims include Mercor AI (an AI training data company supplying OpenAI, Anthropic, and Meta), Sportradar AG, and JobsGO (2.3 million candidate records exfiltrated).

Recent identity-centered incidents involving platforms such as Salesforce, Gainsight, and Salesloft have demonstrated a familiar logic: a single compromised integration can expose trusted tokens that seed follow-on access across connected systems. TeamPCP applies the same principle to CI/CD pipelines. In their case, secrets harvested from one trusted GitHub Actions workflow became the entry point for subsequent compromises across vendor repositories, developer tooling, and package registries — transforming a localized credential theft into a cascading, multi-ecosystem breach.

Why Does the TeamPCP Campaign Matter Beyond the Affected Vendors?

The TeamPCP campaign exposed structural weaknesses that extend far beyond Aqua Security, Checkmarx, or any individual vendor. The real issue was transitive trust. One poisoned GitHub Action could collect credentials that opened the door to other workflows, other vendors, and other environments. Supply chain attacks are no longer just about corrupting software delivery. As security researcher Alon Gal noted in response to the incident, they are becoming a way to accumulate large stores of valid, high-privilege access that can be reused quietly over time.

Four structural weaknesses made this campaign as damaging as it was:

• Long-lived credentials: Service account PATs, package publish tokens, and registry credentials provided durable access that attackers reused across multiple phases well after the initial compromise was detected.
• Under-monitored CI/CD environments: Build runners, release pipelines, and automation hosts had access to source code, signing paths, package publishing rights, and cloud credentials, yet received far less scrutiny than production systems.
• Tag-based trust: Workflows that referenced GitHub Actions by tag rather than by full commit SHA became silent credential collection points the moment a tag was force-pushed.
• Identity is the real target: The deepest problem was not poisoned code but stolen identity. In modern software delivery environments, tokens and service accounts are the real high-value targets.

What Are the Key Lessons from the TeamPCP Campaign?

Three lessons stand out for defenders:

• Incomplete remediation can be as dangerous as the original breach. The root cause of the entire March 2026 campaign was a token that was not rotated atomically following the February 27 Pwn Request attack. A single hidden trust path left open seeded every subsequent phase.
• Software supply chain security has become inseparable from identity security. The key asset in this campaign was not code. It was the credentials wrapped around the code delivery process.
• Attack surface matters more than novelty. TeamPCP did not need a single exotic exploit. The group chained together familiar weaknesses: long-lived credentials, high-privilege service accounts, trust in mutable tags, under-monitored runners, and connected vendor ecosystems.

Is TeamPCP Still a Threat?

In early April 2026, the campaign remained actively ongoing. Several developments confirm the group has no intention of stopping:

• The Telnyx Python SDK was compromised on PyPI at 03:51 UTC on March 27, confirming active expansion into new targets using the same WAV steganography delivery pattern.
• On April 2–3, CERT-EU officially attributed the breach of the European Commission’s AWS environment to TeamPCP. Approximately 92 GB of compressed data was stolen from 42 internal departments and 29 EU entities. ShinyHunters subsequently published approximately 340 GB (uncompressed) of this data on their dark web leak site, marking the first confirmed nation-state-tier institutional victim of the campaign.
• A leadership transition was announced on Telegram, with the original operator DMT stepping down and a new leader operating under the alias T00001B taking control. The new leadership confirmed the operation would continue and that new partners had already joined.
• The Vect Ransomware Group announced a formal partnership with TeamPCP on BreachForums, stating intent to deploy ransomware across every organization affected by the Trivy and LiteLLM compromises.

The campaign that began as a supply chain credential theft operation has expanded into a multi-group ransomware deployment pipeline, and there is no indication it has reached its final target.

What TTPs Does TeamPCP Use? (MITRE ATT&CK Mapping)

What Are TeamPCP’s Indicators of Compromise (IoCs) ?