Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware
July 3, 2026
FBI Warns TeamPCP Hackers Exploit Developer Tools in Supply Chain Attacks
July 3, 2026
SharkLoader Malware Uses Fake Cisco AnyConnect, Google Updates
July 3, 2026
Home/Threats/FBI Warns TeamPCP Hackers Exploit Developer Tools in Supply Chain Attacks
Threats

FBI Warns TeamPCP Hackers Exploit Developer Tools in Supply Chain Attacks

Key Takeaways TeamPCP, a sophisticated threat group, is actively engaged in widespread software supply chain attacks. The group targets developer and security tools like Trivy, KICS, LiteLLM, and the...

David kimber
David kimber
July 3, 2026 3 Min Read
1 0

Key Takeaways

  • TeamPCP, a sophisticated threat group, is actively engaged in widespread software supply chain attacks.
  • The group targets developer and security tools like Trivy, KICS, LiteLLM, and the Telnyx Python SDK by injecting malicious code.
  • Attackers harvest critical credentials, including cloud access tokens, SSH keys, and Kubernetes secrets, enabling deep access into corporate networks.
  • Beyond data theft, TeamPCP employs extortion tactics, publishing victim names and threatening data leaks.
  • The FBI warns that compromised credentials can be resold and exploited by other criminal groups, posing a long-term threat.

FBI Warns of TeamPCP’s Developer Tool Exploitation

A significant surge in software supply chain attacks has prompted cybersecurity professionals and developers worldwide to heighten their vigilance. A cybercriminal organization identified as TeamPCP has been observed embedding malicious code within widely adopted development and security tools. This insidious tactic allows them to compromise systems and exfiltrate highly sensitive information, such as cloud credentials, SSH keys, and other critical secrets, which can grant extensive access to corporate networks.

Table Of Content

  • Key Takeaways
  • FBI Warns of TeamPCP’s Developer Tool Exploitation
  • TeamPCP’s Modus Operandi
  • Malware Families Powering the Campaign
  • What You Should Do

The danger of this campaign stems from its broad scope and strategic targeting. Instead of indiscriminately attacking various entities, TeamPCP focuses on tools integral to developers’ daily workflows and embedded deeply within Continuous Integration/Continuous Delivery (CI/CD) pipelines. This calculated approach leverages the inherent trust in these tools, enabling the malware to propagate across numerous downstream systems far beyond initial compromise points.

According to a report shared by the FBI with Cyber Security News (CSN), TeamPCP has executed extensive software supply chain breaches by compromising popular developer and security utilities. The bureau emphasized that the group successfully penetrated victim environments and extracted valuable data, including cloud access tokens, SSH keys, and Kubernetes secrets. This data theft facilitates further infiltration and persistent access.

TeamPCP’s activities extend beyond covert data exfiltration to overt extortion. The group has utilized public leak sites to name victims and issue threats of releasing stolen data if their demands are not met. This shift from stealth espionage to public pressure introduces an additional layer of risk, underscoring the severity of the threat.

Security teams are advised to consider any exposure resulting from this campaign as an ongoing threat rather than an isolated incident. Even after initial remediation efforts, stolen credentials can resurface months later, being leveraged by other criminal entities seeking to exploit the access originally obtained by TeamPCP.

TeamPCP’s Modus Operandi

TeamPCP’s methodology centers on injecting malicious code directly into legitimate software packages. They achieve this by modifying core components and dependencies within widely used tools such as Trivy, KICS, LiteLLM, and the Telnyx Python SDK. These trojanized updates appear legitimate to developers, allowing the malware to bypass initial scrutiny.

Given that these compromised tools are deeply integrated into enterprise CI/CD pipelines, they serve as highly effective entry points. A single malicious update can silently spread to thousands of interconnected systems before any anomalies are detected.

Upon successful installation, these compromised packages deploy credential-stealing malware and backdoors, establishing persistent footholds within developer environments. This allows attackers to systematically penetrate deeper into cloud infrastructure and continuously steal sensitive information over extended periods.

Malware Families Powering the Campaign

TeamPCP utilizes a specialized suite of custom malware to execute its attacks. CanisterWorm is designed to harvest cloud access tokens and API keys associated with major cloud providers like AWS, Google Cloud, and Microsoft Azure, providing a direct pathway into cloud accounts.

SANDCLOCK operates in conjunction with CanisterWorm, extracting AWS credentials, Kubernetes ServiceAccount tokens, local environment variables, and even cryptocurrency wallet data from compromised systems. This combination of tools allows TeamPCP to cast a wide net for credential harvesting.

Additionally, the group employs Mini Shai-Hulud, a self-propagating worm designed to spread across open-source ecosystems like npm and PyPI. A related variant, Miasma, employs a similar propagation strategy while also targeting configuration files and harvesting credentials during its spread.

What You Should Do

The FBI urges any organization suspecting a TeamPCP compromise to report the incident immediately to a local FBI field office or the <a href="https://www.ic3.gov/CSA

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitHackerMalwarephishingSecurityThreatVulnerability

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

SharkLoader Malware Uses Fake Cisco AnyConnect, Google Updates

Next Post

PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical WatchGuard Firebox OS Flaws Let Attackers Execute Code
July 3, 2026
Critical Microsoft Exchange SSRF Vulnerability Gets Public PoC Exploit
July 3, 2026
North Korean Hackers Conceal JavaScript Loaders in Open Source Repos
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us