A new wave of software supply chain attacks has put developers and security teams on high alert.
The threat group behind it, known as TeamPCP, has been quietly slipping malicious code into trusted development and security tools used by companies worldwide.
Once inside, the group harvests cloud credentials, SSH keys, and other sensitive secrets that can unlock entire corporate networks.
What makes this campaign especially dangerous is its scale and its target selection. Rather than going after random victims, TeamPCP has focused on tools that developers already trust and use every day inside their build pipelines.
That trust is exactly what the attackers exploited to spread malware far beyond a single company.
The FBI said in a report shared with Cyber Security News (CSN) that TeamPCP has conducted large scale software supply chain compromises by targeting widely used developer and security tools.
The bureau warned that the group gained access to victim environments and extracted sensitive data, including cloud access tokens, SSH keys, and Kubernetes secrets.
Beyond stealing data, TeamPCP has also turned to extortion. The group has published victim names on a public leak site and threatened to release stolen information unless demands are met.
This shift from quiet espionage to public pressure adds another layer of risk. Security teams are being urged to treat any exposure from this campaign as an ongoing threat rather than a one time event.
Even after cleanup, stolen credentials can resurface months later in the hands of other criminal groups looking to cash in on the access TeamPCP obtained.
FBI Warns TeamPCP Hackers Compromise Developer Tools
TeamPCP’s method centers on injecting malicious code directly into legitimate software packages.
By modifying components and dependencies inside popular tools like Trivy, KICS, LiteLLM, and the Telnyx Python SDK, the group pushed trojanized updates that looked normal to developers downloading them.
These tools are deeply embedded in enterprise continuous integration and continuous delivery pipelines, making them an ideal entry point.
A single compromised update can quietly ride along into thousands of downstream systems before anyone notices anything wrong.
Once installed, the tainted packages secretly deployed credential stealing malware and backdoors, giving TeamPCP persistent footholds inside developer environments.
From there, attackers could pivot deeper into cloud infrastructure and steal more sensitive material over time.
Malware Families Behind the Campaign
TeamPCP relies on a handful of custom tools to carry out its attacks. CanisterWorm is built to harvest cloud access tokens and API keys tied to services like AWS, Google Cloud, and Microsoft Azure, giving attackers a direct line into cloud accounts.
SANDCLOCK works alongside it, pulling AWS credentials, Kubernetes ServiceAccount tokens, local environment variables, and even cryptocurrency wallet data from infected systems.
Together these tools give TeamPCP a wide net for collecting secrets. The group also uses Mini Shai-Hulud, a self-replicating worm that spreads across the npm and PyPI open source ecosystems on its own.
A closely related variant called Miasma follows the same approach while also poisoning configuration files and harvesting credentials as it moves.
The FBI is asking any organization that suspects it has been hit by TeamPCP to report the incident to a local FBI field office or the Internet Crime Complaint Center. Investigators want details like affected package names, CI/CD pipeline logs, network logs, and any extortion messages received.
On the defensive side, the bureau recommends pinning GitHub Actions workflows to verified commit hashes instead of floating tags, and rotating every CI/CD secret and cloud credential that may have been exposed.
Teams should also search their GitHub organizations for repositories named tpcp-docs or docs-tpcp, since these are created by the worm using stolen credentials.
Other suggested steps include enforcing least privilege on CI/CD service accounts, requiring phishing resistant multi factor authentication for repository access, and setting a minimum age threshold before new packages can be installed.
Keeping offline, immutable backups of critical repositories rounds out the FBI’s guidance for reducing both the likelihood and impact of a TeamPCP compromise.
Indicators of Compromise (IoCs):-
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.