
Worm in the Registry: IronWorm's Rust-Powered npm Supply Chain Assault on Developer Credentials
Indicators of Compromise
No domains found for this campaign
APT Groups1
TeamPCP is a financially motivated cybercrime group that emerged in late 2025. They specialize in supply chain attacks on cloud-native ecosystems (GitHub Actions, Docker Hub, npm, PyPI, OpenVSX) to inject credential stealers, deploy ransomware, and perform destructive operations. The group has demonstrated advanced automation, cloud-native tactics, and selective wiper behavior.
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION/DETECTION
Tactic | Technique | ID | Reference |
Initial Access | Supply Chain Compromise: Compromise Software Supply Chain | ||
Execution | Command and Scripting Interpreter | ||
Execution | Software Deployment Tools | ||
Credential Access | Unsecured Credentials: Credentials in Files | ||
Credential Access | Unsecured Credentials: Environment Variables | ||
Defense Evasion | Rootkit | ||
Defense Evasion | Masquerading | ||
Defense Evasion | Indicator Removal: Timestomp | ||
Persistence | Compromise Host Software Binary | ||
Command & Control | Proxy: Tor | ||
Exfiltration | Exfiltration Over C2 Channel | ||
Lateral Movement | Valid Accounts |