FBI Warns TeamPCP Supply Chain Attacks Are Targeting Developer and Security Tools


The FBI has warned organizations about TeamPCP, a cybercriminal group behind large-scale software supply chain attacks that target trusted developer and security tools.

The bureau said in its TeamPCP FLASH alert that the group has compromised software distribution channels, pushed trojanized updates, and stolen sensitive data from victim environments.

The stolen data includes cloud access tokens, SSH keys, Kubernetes secrets, API keys, and other credentials that can give attackers access to corporate infrastructure long after the first infection.

Why TeamPCP Is a Serious Supply Chain Threat

TeamPCPโ€™s campaign is dangerous because it targets tools that developers and security teams already trust. These tools often run inside CI/CD pipelines, cloud environments, and automated security workflows.

According to Palo Alto Networks Unit 42, TeamPCP compromised widely used open-source security and development tools, including Trivy, KICS, LiteLLM, and the Telnyx Python SDK.

By poisoning these trusted tools, attackers can reach many downstream systems without attacking each company directly. A single compromised package or workflow can spread across developer machines, build systems, and cloud deployments.

Target AreaTeamPCP ActivityBusiness Risk
Developer toolsTrojanized trusted packages and dependencies.Compromised developer machines and exposed source code workflows.
CI/CD pipelinesStolen build secrets, publishing tokens, and cloud credentials.Malicious updates can spread into production environments.
Cloud infrastructureCredential theft targeting AWS, Google Cloud, and Microsoft Azure.Attackers can pivot into cloud accounts and workloads.
Kubernetes environmentsHarvested service account tokens and cluster data.Attackers can move laterally inside containerized infrastructure.
Public leak sitesVictim names and stolen data threats.Organizations face extortion and reputational pressure.

FBI Says TeamPCP Uses Trojanized Updates and Backdoors

The FBI said TeamPCP injected malicious code into legitimate packages to modify software components and development dependencies. The updates looked normal, but secretly installed credential-stealing malware and persistent backdoors.

The bureau also warned that TeamPCP has moved beyond silent theft. The group has engaged in extortion, published victim names on a public leak site, and threatened to disclose stolen data.

The FBI advisory tells organizations to treat exposed credentials and stolen data as a persistent risk because affiliated threat actors may weaponize them months after the initial compromise.

LiteLLM Was One of the Major Compromised Packages

LiteLLM became one of the clearest examples of TeamPCPโ€™s reach. The open-source library routes requests across multiple AI model providers, making it widely used inside developer and AI infrastructure.

Endor Labs reported that LiteLLM versions 1.82.7 and 1.82.8 on PyPI contained malicious code that was not present in the upstream GitHub repository.

The compromised versions included a backdoored file that decoded and executed hidden payloads. Endor Labs said version 1.82.8 went further by adding a .pth file that could trigger execution during Python startup.

How the LiteLLM Attack Expanded the Blast Radius

The LiteLLM compromise shows why developer supply chain attacks can move quickly. When a package gets poisoned on a public registry, developers and automation systems can pull it before security teams notice.

Cycode said the malicious LiteLLM versions ran a three-stage attack involving credential theft, Kubernetes lateral movement, and a persistent systemd backdoor.

The same analysis said the attack scanned for environment variables, cloud credentials, AI provider keys, local Kubernetes configuration, and AWS credential files. That made the package especially risky for developer systems and CI/CD runners.

Malware Families Linked to TeamPCP

The FBI linked TeamPCP to several malware families and tools that focus on credential theft, cloud access, and self-propagation across open-source ecosystems.

  • CanisterWorm is designed to harvest cloud access tokens, API keys, credentials, and authentication material tied to AWS, Google Cloud, and Microsoft Azure.
  • SANDCLOCK steals AWS credentials, Kubernetes ServiceAccount tokens, local environment variables, and cryptocurrency wallet data.
  • Mini Shai-Hulud is a self-replicating software supply chain worm that targets npm and PyPI ecosystems.
  • Miasma is a Mini Shai-Hulud variant that spreads across open-source registries, steals credentials, and poisons configuration files.

These tools show that TeamPCP does not rely on one infection method. Its activity combines package poisoning, credential harvesting, cloud access abuse, and downstream propagation.

Trivy, KICS, Telnyx, and Other Security Tools Were Also Targeted

Security tools are valuable targets because they often run with broad access inside engineering environments. They may scan code, inspect containers, authenticate to cloud accounts, and operate inside build pipelines.

The Unit 42 report said the group affected Trivy, KICS, LiteLLM, and the official Telnyx Python SDK. These tools sit close to the systems that enterprises use to build, scan, and deploy software.

That access can turn a routine security or development process into an attacker-controlled entry point. This is why supply chain compromises often create a wider blast radius than direct attacks against one endpoint.

What Organizations Should Look For

Security teams should investigate any exposure to compromised packages, suspicious CI/CD behavior, and unexpected outbound connections from developer or build systems.

SafeBreach noted in its TeamPCP coverage that the FBI advisory includes malicious IP addresses, spoofed domains, file hashes, and attacker-created repository names.

The FBI specifically recommends searching GitHub organizations for repositories named tpcp-docs or docs-tpcp. The worm can create these repositories using stolen credentials.

Indicator TypeExamples Mentioned in ReportingRecommended Action
Repository namestpcp-docs, docs-tpcpSearch organization repositories and investigate unexpected creation events.
Domainslookalike security-vendor domains and suspicious telemetry endpointsReview DNS, proxy, and CI/CD runner logs for matches.
Package versionsknown compromised dependency releasesIdentify where affected versions were installed or cached.
Secretscloud tokens, SSH keys, registry publishing tokensRotate exposed credentials and revoke unused tokens.

FBI Mitigation Advice for CI/CD Pipelines

The FBIโ€™s recommendations focus heavily on CI/CD hardening, credential hygiene, package trust, and repository controls. These steps can reduce the impact of TeamPCP-style attacks.

  • Pin GitHub Actions workflows to verified commit SHA hashes instead of floating tags or branch references.
  • Rotate CI/CD secrets, publishing tokens, and cloud credentials that may have been exposed.
  • Enforce least privilege for CI/CD service accounts and registry publishing tokens.
  • Apply token scoping to reduce cross-repository propagation.
  • Require phishing-resistant multi-factor authentication for repository and registry accounts.
  • Set a minimum package age threshold before newly published packages can be installed.
  • Maintain offline, immutable backups of critical repositories and release artifacts.

The FBI also recommends runtime behavioral monitoring for CI/CD pipelines. This can help detect unexpected outbound network connections from runner processes before a compromise spreads further.

Why Credential Rotation Is Urgent

TeamPCPโ€™s malware focuses heavily on secrets. That means cleanup cannot stop at removing a malicious package from one system.

If attackers already stole tokens, keys, or cloud credentials, those secrets can still work even after the infected package disappears. Organizations should assume exposed credentials are compromised and rotate them quickly.

Cycodeโ€™s LiteLLM analysis highlighted searches for AI provider keys, cloud credentials, local Kubernetes files, and AWS credential files, which reinforces the need for broad credential review.

How Developers Can Reduce Package Risk

Developers and platform teams should review dependency update policies. Automatic updates may improve maintenance, but they can also pull malicious versions before the community identifies them.

Endor Labs identified LiteLLM 1.82.6 as the last known clean version in its analysis of the March compromise. Teams should verify exact package versions instead of relying only on package names.

Security teams should also scan package caches, container images, virtual environments, developer laptops, build logs, and artifact repositories. A poisoned dependency can persist in places that normal source-code review does not cover.

Reporting and Incident Response

The FBI asks organizations that suspect TeamPCP activity to contact a local FBI field office or the Internet Crime Complaint Center.

Organizations should preserve affected package names, package versions, CI/CD logs, network logs, suspected credential exposure details, extortion messages, and ransom demands.

SafeBreach also emphasized that organizations should evaluate each indicator in context because some IP addresses, filenames, and other indicators may be temporary or nondeterministic.

The Bigger Lesson for Software Supply Chain Security

TeamPCPโ€™s campaign shows that developer tools now sit at the center of enterprise risk. Attackers no longer need to break into every target one by one if they can compromise the trusted tools those targets install.

Security teams should treat package registries, build scripts, GitHub Actions, cloud credentials, and developer devices as part of the same attack surface.

The strongest response combines verified dependencies, signed artifacts, scoped tokens, locked-down CI/CD runners, fast credential rotation, and continuous monitoring for suspicious build behavior.

FAQ

What is TeamPCP?

TeamPCP is a cybercriminal group that the FBI says has carried out large-scale software supply chain attacks against developer and security tools. The group steals cloud credentials, SSH keys, Kubernetes secrets, and other sensitive data.

Which tools has TeamPCP targeted?

The FBI and security researchers have linked TeamPCP activity to tools including Trivy, KICS, LiteLLM, and the Telnyx Python SDK. These tools are commonly used in development, security, and CI/CD workflows.

Why are TeamPCP attacks dangerous for CI/CD pipelines?

CI/CD pipelines often hold cloud credentials, publishing tokens, secrets, and access to deployment systems. If a trusted tool inside the pipeline gets compromised, attackers can steal credentials and spread into downstream environments.

What should organizations do after possible TeamPCP exposure?

Organizations should identify affected package versions, review CI/CD and network logs, rotate exposed secrets, search for suspicious repositories such as tpcp-docs and docs-tpcp, and report suspected intrusions to the FBI.

How can teams reduce software supply chain risk?

Teams can reduce risk by pinning GitHub Actions to commit hashes, enforcing least privilege, using scoped tokens, requiring phishing-resistant MFA, setting package age thresholds, monitoring CI/CD runners, and maintaining immutable backups.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages