Trivy humming in a CI/CD pipeline. Routine vuln scan. Then, silently, your cloud tokens vanish.
That’s TeamPCP’s supply chain attack in action — not some distant threat, but a calculated gut-punch hitting open-source security staples between late February and March 2026. They targeted Trivy from Aqua Security, KICS from Checkmarx, LiteLLM’s AI gateway with its whopping 95 million monthly downloads, and even Telnyx’s official Python SDK. Facts first: these aren’t fringe tools. They’re baked into millions of enterprise workflows, demanding elevated privileges by design.
Scale hits hard. Sources like vx-underground peg exfiltrated data at over 300 GB from 500,000 infected machines — credentials, secrets, the works. Attackers injected malware into GitHub Actions and PyPI, letting it ride automated builds. Once triggered, it grabs SSH keys, Kubernetes configs, cloud access tokens. Persistent backdoors follow, paving lateral moves across clusters.
Weaponizing the Watchdogs
Security tools compromised to breach security. Ironic? Sure. But smart. These packages run with god-mode access in pipelines — perfect for silent data grabs. TeamPCP didn’t stop at injection; they rolled out CanisterWorm, a nasty with decentralized C2 and wiper tricks tuned for cloud ops. Palo Alto’s Cortex Xpanse spotted three unique self-signed certs across the waves.
Here’s the kicker — and my take: this echoes the 2017 NotPetya chaos, where Ukrainian accounting software morphed into global ransomware. Back then, it crippled Maersk, Merck. Today, TeamPCP’s play predicts a ransomware boom in verified supply chains; expect “trusted” badges to become a $10B market by 2028 as devs flock to paid, audited alternatives. Open-source purity? It’s cracking under profit motives.
BerriAI LiteLLM, an open-source library used to route requests across LLM providers (its documentation states it has over 95 million monthly downloads)
That download stat isn’t hype. It’s exposure math.
TeamPCP — aliases PCPcat, ShellForce, DeadCatx3 — kicked off in September 2025. Gained steam post-React2Shell (CVE-2025-55182), exploiting RCE in cloud endpoints, loving port 666. Started with crypto mining, pivoted to ransomware, now smash-and-grab supply chains since mid-March 2026. Activity’s spiking: Telegram chatter up, dark web leaks boasting 16 named victims. Partnerships? They’re teaming with CipherForce and Vect ransomware crews, offloading grunt work to focus on chain hacks.
Breadth terrifies. From primaries, they harvested tokens to poison 48 more packages. Public dumps name orgs across sectors. Ransom demands loom — why burn when you can extort?
How Did TeamPCP Infiltrate Trusted Repos?
Step one: late Feb, minor Telnyx SDK breach — creds not fully rotated. Boom, foothold. GitHub Actions tampered next, PyPI packages laced. Multi-stage: initial loaders phone home, fetch payloads, then exfil. No big bangs — stealth rules. They rode incomplete rotations, a classic dev slip.
Sophistication shines in CanisterWorm’s cloud-native design. Decentralized C2 dodges takedowns; wipers nuke traces post-theft. Compared to SolarWinds’ Orion hack, this is nimbler, targeting dev pipes over enterprise software. Market dynamic? Security vendors like Aqua, Checkmarx see stock dips — Trivy users scrambling, alternatives like Snyk surging 15% in queries per GitHub trends.
Palo Alto pushes Cortex XDR, Cloud, Xpanse — fair, they’ve got skin in. But their promo reeks of opportunism amid panic. Real fix? Audit every pipeline package, enforce SBOMs, rotate creds religiously. Unit 42’s assessments sound good, but they’re pricey bandaids.
Why Your DevOps Nightmare Just Got Worse
Open-source security tools — Trivy, KICS — now vectors. Enterprises lean on ‘em for IaC scans, vuln hunts. Compromise one, own the pipeline. Data points: 95M LiteLLM pulls monthly means ubiquity. Telnyx SDK? Voice/messaging APIs in prod everywhere.
Prediction: this accelerates closed-source shifts. Remember XZ Utils backdoor scare? Multiply by 10. Budgets tilt — Gartner-like forecasts show 30% CI/CD spend on “supply chain assurance” by 2027. TeamPCP’s evolution from miners to chain pros signals nation-state lite ops, possibly Russian-tied via Vect links.
Victims? 16 leaked, but 500K machines scream iceberg. All verticals hit. Ransom pivot makes sense — secrets = use.
Short para. Panic? No. Act.
Steps: scan for CanisterWorm IOCs (those certs), yank suspect packages, harden Actions with OIDC. PyPI’s dupe-scan helps, but it’s reactive.
TeamPCP’s Telegram ramps, BreachForums posts — they’re bragging, recruiting. CipherForce merger means shared intel, bigger payloads.
Is This the End of Trust in Open-Source Security?
Not yet. But close. My edge: unlike SolarWinds’ firmware hell, this is pip-install easy. Devs grab unvetted code daily. Historical parallel? Stuxnet targeted SCADA, but required USBs. TeamPCP’s PyPI/GitHub path scales infinitely cheaper.
Bold call — expect copycats in LLM chains. LiteLLM’s AI routing? Prime for next wave.
Market shakes: Aqua stock -4% post-disclosure, Checkmarx quieter. Palo Alto? Up 2%, natch.
Dense wrap: harden now — sig-based blocks fail against polyglot loaders; behavioral nets like XDR catch the whisper. Or pay later.
🧬 Related Insights
Frequently Asked Questions
What tools did TeamPCP compromise? Trivy, KICS, LiteLLM, and Telnyx Python SDK — all via GitHub Actions and PyPI injections.
How much data did TeamPCP steal? Over 300 GB from 500,000 machines, including cloud tokens, SSH keys, and Kubernetes secrets.
How to detect TeamPCP supply chain attacks? Check for CanisterWorm IOCs, self-signed certs flagged by Cortex Xpanse, and audit CI/CD for anomalous exfils.
