TeamPCP

Executive Summary

Intelligence Cut-off Date: 12-May-2026

TeamPCP is a financially motivated cybercrime collective — first observed November 2025 and tracked by Google Threat Intelligence Group as UNC6780 — that has executed the most consequential open-source supply chain campaign of 2026, weaponizing the security tools defenders depend on (Trivy, Checkmarx KICS, LiteLLM) and cascading the compromise across five software ecosystems. The group’s signature innovations are CanisterWorm, a self-propagating npm token-resolving worm, and the first documented abuse of an Internet Computer Protocol (ICP) canister as dead-drop command-and-control. Why it matters: a single stolen Personal Access Token at Aqua Security led to 1,000+ downstream SaaS environments compromised, ~500,000 credentials harvested, ~300 GB of data exfiltrated, a confirmed European Commission breach, and Cisco source-code theft.

Overall Assessment: [Confidence: HIGH]

Identity and Attribution

TeamPCP first surfaced publicly in November 2025 and is tracked under multiple aliases that map to specific operational personas: PCPcat (first documented campaign), ShellForce (data leak publication site), DeadCatx3 (GitHub account hosting attacker tooling), CipherForce (the group’s proprietary ransomware brand), and Persy_PCP (earlier Telegram identity) [Source: SOCRadar Dark Web Profile, Rating: C2]. Google Threat Intelligence Group tracks the cluster as UNC6780 [Source: SANS ISC Update 007, Rating: B2]. The group also brands its worm tooling under the CanisterWorm / CanisterSprawl names, which double as cluster identifiers in some vendor reporting.

The group is classified as cybercrime — not state-sponsored — based on financial motivation, public-facing leak operations, partnership with the Russian-speaking Vect ransomware-as-a-service operation, and a self-description by spokesperson T00001B as “a loose-knit group of teenagers and young adults who couldn’t find paying work” [Source: SOCRadar, Rating: C2] [Single-source on the demographic claim — treat with caution]. Country of origin is unattributed [Data Gap: no public reporting establishes geographic origin with confidence]. English-language operational tradecraft is observed; the Vect partnership suggests at minimum operational reach into Russian-speaking criminal infrastructure but does not establish co-location.

Motive and Objective

TeamPCP is financially motivated, with revenue diversified across five distinct monetization streams: (1) cryptomining on compromised cloud workloads, (2) credential resale, (3) data extortion via the ShellForce leak site, (4) sale of compromised systems as proxy infrastructure to other criminal buyers, and (5) ransomware operations through the Vect RaaS partnership announcing dedicated deployment against TeamPCP-named victims [Source: Halcyon ransomware alert, Rating: C2]. The operational philosophy — explicitly stated in the group’s communications — is that every compromised host becomes simultaneously “a scanner, a proxy, a miner, a data exfiltration node, and a launchpad for further attacks” [Source: The Hacker News, Rating: C2].

The strategic objective evolved meaningfully across 2026. Through Q1, operations focused on opportunistic cloud-native compromise (Docker APIs, Kubernetes, Ray dashboards). In late February the group pivoted to targeted software supply chain attacks against trusted security tooling — a deliberate “weaponize the protector” pattern that maximizes blast radius per compromise.

Victimology

TeamPCP’s targeting has two layers. The direct victim layer comprises a small number of high-leverage software vendors whose products are deeply embedded in defender CI/CD pipelines: Aqua Security (Trivy vulnerability scanner), Checkmarx (KICS infrastructure-as-code scanner), BerriAI (LiteLLM AI gateway, ~95M monthly PyPI downloads), Telnyx (Python SDK), and as of late April, Bitwarden CLI and xinference (PyPI) [Source: Endor Labs, Rating: C2] [Source: SANS ISC Update 008, Rating: B2]. The downstream victim layer is every organization whose pipelines pulled the poisoned artifacts: at least 1,000 enterprise SaaS environments, with a confirmed European Commission breach [Source: The Next Web on Trivy/EC breach, Rating: C3] and confirmed Cisco source-code theft via the Trivy-linked compromise [Source: SANS ISC Update 007, Rating: B2].

Targeted technology stacks span the full cloud-native and CI/CD pipeline: GitHub Actions workflows, Docker Hub images, npm and PyPI packages, OpenVSX extensions, Trivy and KICS scanners, the LiteLLM AI gateway, Aqua-bot service accounts, Kubernetes secrets, Ray dashboards, Redis servers, and Docker APIs exposed to the public internet. Geographic targeting is global and opportunistic, not regionally selective. No CIS-exclusion pattern is observed, which is one of the few data points that complicates a Russian-nexus inference.

Sector Proximity Assessment:

• Global telecommunications: Direct — CI/CD pipelines and downstream package consumption are universal in telecom build environments; the Trivy/LiteLLM blast radius makes incidental exposure likely.
• Defense technology / high-tech startups: Adjacent — dual-use defense software shipped through npm/PyPI/Docker is in the blast radius, but no direct DIB targeting observed.
• Venture capital / investment: Adjacent — portfolio exposure flows through whichever portfolio companies pulled poisoned artifacts; not a direct target.
• Government / think tanks: Direct — European Commission breach is confirmed; CISA KEV deadline (08-Apr-2026) required FCEB remediation; standalone US joint advisory remains absent [Data Gap].
• Higher education / research institutions: Low — no observed targeting of academic networks; incidental exposure only via shared package ecosystems.

Capability Assessment

Rating: High [Confidence: HIGH]

The “high” rating reflects sophistication unusual for a cybercrime actor of this stated demographic, not nation-state parity. Supporting evidence: (1) First documented abuse of decentralized blockchain infrastructure for C2 — TeamPCP used an Internet Computer Protocol canister as a dead-drop, a primitive previously theoretical and now operationalized [Source: The Hacker News, Rating: C2] [Source: Wiz Cloud Threat Landscape, Rating: C2]. (2) Multi-ecosystem coordinated cascade — the March 19–25 operation hit GitHub Actions, Docker Hub, npm, PyPI, and OpenVSX in a sequenced chain where credentials from one stage funded the next [Source: SANS Institute, Rating: B2]. (3) Novel Python persistence via .pth files — version 1.82.8 of poisoned LiteLLM dropped a litellm_init.pth that Python auto-loads at interpreter startup, executing malware on every Python process regardless of whether LiteLLM was imported [Source: Cato Networks, Rating: C2] [Source: Microsoft Security Blog, Rating: B2]. (4) Self-propagating worm tooling — CanisterWorm resolves stolen npm token owners, enumerates packages they can publish to, bumps versions, and ships malicious updates automatically, infecting 28+ packages in under a minute on Day 2 of the campaign [Source: SANS Institute, Rating: B2]. (5) Operational patience — the 26-day pause between the late-March cascade and the late-April Bitwarden CLI / xinference / CanisterSprawl wave suggests deliberate sequencing rather than opportunistic spam [Source: SANS ISC Update 008, Rating: B2].

What the capability is not: there are no confirmed zero-day exploits in the TeamPCP toolkit. Initial access has consistently been misconfiguration exploitation (the Aqua pull_request_target workflow), stolen credentials (Aqua-bot PAT), and N-day vulnerability exploitation. CVE-2026-33634 (CVSS 9.4) was assigned to the Trivy attack vector for KEV tracking purposes [Source: Help Net Security on CVE-2026-33634, Rating: C2]; it documents the attack technique, not a pre-disclosure zero-day.

Modus Operandi

Key Campaigns

• Cloud-Native Worm Wave (Dec 2025) — Mass exploitation of exposed Docker APIs, Kubernetes clusters, Ray dashboards, Redis servers, and the React2Shell vulnerability. Built initial proxy/scanning infrastructure that fed later operations [Source: Flare, Rating: C3].
• Aqua-bot PAT Compromise (27-Feb-2026) — Exploited a misconfigured pull_request_target GitHub Actions workflow at Aqua Security to steal a Personal Access Token belonging to the aqua-bot service account. Aqua detected and attempted rotation; rotation was incomplete, leaving residual access [Source: GitGuardian, Rating: C2].
• Trivy / KICS / LiteLLM Cascade (19–24 Mar 2026) — Sequential supply chain compromise: Trivy GitHub Actions and Docker images (19 Mar) → CanisterWorm npm cascade across 28+ packages (20 Mar) → Checkmarx KICS GitHub Actions repos (23 Mar) → LiteLLM PyPI packages 1.82.7 and 1.82.8 (24 Mar). Each stage’s harvested CI/CD secrets enabled the next [Source: Arctic Wolf, Rating: B2] [Source: Unit 42, Rating: B2] [Source: Kaspersky, Rating: B2].
• Cisco Source-Code Theft Disclosure (11-Apr-2026) — Cisco source code stolen via Trivy-linked breach disclosed; Google GTIG formally attributes cluster as UNC6780 [Source: SANS ISC Update 007, Rating: B2].
• Late-April Resumption (~27-Apr-2026) — 26-day pause ends with three concurrent compromises: Checkmarx KICS (second wave), Bitwarden CLI cascade, xinference PyPI. CanisterSprawl npm worm identified as a CanisterWorm successor [Source: SANS ISC Update 008, Rating: B2].

MITRE ATT&CK TTPs

Phase	Technique ID	Technique Name	Notes
Initial Access	T1195.002	Supply Chain Compromise: Software Supply Chain	Defining technique — Trivy, KICS, LiteLLM, Bitwarden CLI
Initial Access	T1190	Exploit Public-Facing Application	Misconfigured pull_request_target workflows; Docker API exposure
Initial Access	T1133	External Remote Services	Exposed Kubernetes control planes, Ray dashboards, Redis
Initial Access	T1078.004	Valid Accounts: Cloud Accounts	Stolen Aqua-bot PAT post-incomplete-rotation
Execution	T1059.006	Command and Scripting Interpreter: Python	LiteLLM PyPI payloads
Persistence	T1546	Event Triggered Execution	litellm_init.pth auto-load on Python startup
Persistence	T1053.003	Scheduled Task/Job: Cron	Linux/Unix recurring execution on compromised hosts
Credential Access	T1552.001	Unsecured Credentials: Credentials in Files	Harvested SSH keys, cloud tokens, K8s secrets from CI runners
Discovery	T1526	Cloud Service Discovery	Enumeration of cloud accounts post-token theft
Command and Control	T1102	Web Service	ICP canister dead-drop C2 — first documented use
Exfiltration	T1567	Exfiltration Over Web Service	~300 GB exfiltrated via attacker-controlled endpoints
Impact	T1496	Resource Hijacking	Cryptomining across compromised cloud workloads
Impact	T1486	Data Encrypted for Impact	Ransomware deployment via Vect RaaS partnership
Impact	T1657	Financial Theft	Extortion via ShellForce leak site

Tools and Malware

• CanisterWorm — Self-propagating npm worm. Resolves stolen publish-token owners, enumerates eligible packages, bumps versions, pushes malicious updates. Used 19–20 Mar 2026.
• CanisterSprawl — Identified late April 2026 as the npm worm successor; broader package targeting [Source: SANS ISC Update 008, Rating: B2].
• Custom credential stealers — Harvest SSH keys, cloud access tokens, Kubernetes secrets, database credentials, environment variables, cryptocurrency wallets from CI/CD runner memory and disk.
• Commodity cryptominers — Deployed for sustained revenue on compromised cloud workloads. No publicly named family.
• Vect ransomware — Not TeamPCP-developed; deployed via formal Vect Group partnership against TeamPCP-credentialed targets.

Infrastructure Patterns

• C2: Internet Computer Protocol (ICP) canister as dead-drop — the defining infrastructure innovation. Decentralized, blockchain-backed, resistant to conventional takedown.
• Delivery surface: Legitimate package and CI/CD ecosystems (GitHub Actions, Docker Hub, npm, PyPI, OpenVSX) — TeamPCP rarely operates its own hosting; it operates inside trusted distribution channels.
• Access maintenance: Stolen Personal Access Tokens and service-account credentials; partial credential rotations consistently fail to evict.
• Leak operations: ShellForce branded data leak site.
• Negotiation channels: Telegram (historical Persy_PCP), spokesperson handle T00001B.

Activity Timeline

Date	Event	Source	Rating
2025-11	Group first observed publicly	SOCRadar	C2
2025-12	Mass cloud-native worm wave (Docker, K8s, Ray, Redis)	Flare	C3
2026-02-27	Aqua-bot PAT stolen via pull_request_target misconfig	GitGuardian	C2
2026-03-19	Trivy GitHub Actions and Docker images poisoned	Microsoft Security	B2
2026-03-20	CanisterWorm cascades across 28+ npm packages	SANS Institute	B2
2026-03-23	Checkmarx KICS GitHub Actions repos compromised	Arctic Wolf	B2
2026-03-24	LiteLLM PyPI packages 1.82.7 / 1.82.8 published with backdoor	Cato Networks	C2
2026-03-27	CISA flags CVE-2026-33634 in KEV; Singapore CSA AD-2026-001 issued	Help Net Security	C2
2026-04-08	CISA KEV remediation deadline for CVE-2026-33634	SANS ISC	B2
2026-04-11	Cisco source-code theft disclosed; GTIG attributes cluster as UNC6780	SANS ISC Update 007	B2
2026-04-27	26-day pause ends — Bitwarden CLI, xinference PyPI, CanisterSprawl identified	SANS ISC Update 008	B2

Forecast, Implications, and Recommendations

What Next (Forecast)

Continued “weaponize the protector” targeting [Confidence: HIGH]. The pattern is now established and demonstrably effective. Likely next-target classes within 60–90 days: additional vulnerability scanners (e.g., Grype, Snyk CLI, OSV-Scanner), SBOM tooling (Syft, CycloneDX implementations), CI/CD orchestration extensions (GitHub Actions marketplace, Jenkins plugins), and AI infrastructure proxies (LangChain ecosystem). The blast-radius math favors security and dev-tooling vendors over end-user enterprises.

Decentralized C2 proliferation [Confidence: MODERATE]. The ICP canister proof-of-concept will be copied. Expect IPFS, Arweave, and Solana-program-based dead-drops to appear in other actors’ tooling within 90–180 days. Forecast revised if ICP itself implements abuse mitigations.

Deepening Vect RaaS coupling [Confidence: MODERATE]. The credential troves harvested in Q1 will feed ransomware deployment through Q2-Q3. Expect named Vect victims to correlate with organizations whose CI/CD credentials appear in the TeamPCP haul.

Conditions that would change the forecast: US joint government advisory + indictments (would degrade leak-site operations); successful ICP-side mitigation of canister abuse (would force C2 rework); arrest or doxxing of T00001B persona (would fragment the group).

So What (Implications)

Trust-chain risk is now operational, not theoretical. Defenders’ own scanners — the tools assumed to be safe by design — are plausible delivery vectors. Security and compliance teams that ran Trivy in trusted CI pipelines through March were the attack surface, not the defense.

CI/CD pipelines are crown jewels with weak crown-jewel controls. A single stolen PAT at one vendor cascaded into 1,000+ SaaS environments, ~500,000 credentials, and ~300 GB of exfiltration. Pipeline credentials are typically scoped permissively, rotated infrequently, and audited rarely. The Aqua-bot incomplete-rotation is the canary: partial rotation = full residual access.

The detection lag favors the attacker by weeks. Trivy compromise (19 Mar) → CISA KEV entry (27 Mar) → KEV deadline (08 Apr) = a 20-day window where federal agencies were nominally exposed and the broader enterprise market was running blind.

Now What (Recommendations)

1. Pin and verify CI/CD scanner dependencies to known-good SHAs — Lock Trivy, KICS, LiteLLM, Bitwarden CLI, and equivalents to specific Git commit SHAs or signed releases predating 2026-02-27. Enforce package-version pinning across npm, PyPI, and Docker pulls in CI workflows. Reject floating tags (latest, main) in pipeline definitions.
2. Hunt T1552.001 and T1546 footprints inside pipeline runners — Inspect CI runner images and ephemeral environments for unexpected Python .pth files (especially litellm_init.pth and similar auto-load primitives). Alert on outbound traffic from CI runners to non-allowlisted endpoints, including any traffic toward ICP canister gateways (*.ic0.app, *.raw.ic0.app).
3. Conduct a full Personal Access Token audit and rotation drill — Inventory every service-account token in source control, CI/CD secrets stores, and developer workstations. Revoke and reissue any token used by automation that touched the package ecosystems above between Jan and April 2026. Treat partial rotation as failed rotation. Specifically audit GitHub Actions workflows using pull_request_target — that trigger grants write access to the target repository’s secrets.
4. Apply CVE-2026-33634 remediation and enable scanner provenance verification — Patch per CISA KEV guidance regardless of FCEB status. Where supported, enable cryptographic signature verification on scanner binaries (Sigstore / cosign) and refuse unsigned updates.
5. Brief stakeholders on supply-chain blast-radius math — Translate the Trivy/LiteLLM math (one PAT → 1,000+ environments → 500k credentials) into board-level language. Use the incident to fund (a) pipeline credential lifecycle hygiene, (b) signed-artifact enforcement, and (c) outbound-traffic egress controls from CI runners. The capability gap that lets this campaign work is structural, not technological.

Technical Evidence

Type	Value	First Seen	Last Seen	Confidence
CVE	CVE-2026-33634	2026-03-27	2026-05-12	HIGH
Package	LiteLLM (PyPI) v1.82.7	2026-03-24	2026-03-24	HIGH
Package	LiteLLM (PyPI) v1.82.8	2026-03-24	2026-03-24	HIGH
File	litellm_init.pth (Python auto-load persistence)	2026-03-24	2026-05-12	HIGH
Repo	ast-github-action (Checkmarx)	2026-03-23	2026-03-23	HIGH
Repo	kics-github-action (Checkmarx)	2026-03-23	2026-03-23	HIGH
Persona	T00001B (group spokesperson)	2025-11	2026-05	MODERATE
Persona	ShellForce (data leak site brand)	2025-11	2026-05	MODERATE
C2 Pattern	ICP canister dead-drop	2026-03	2026-05	HIGH

[Data Gap: Specific ICP canister IDs, IP indicators, and full IOC sets have not been consolidated in a single public publication at time of cut-off. Defenders should rely on vendor-specific IOC packs from Microsoft, Unit 42, and Arctic Wolf for current values.]

References

1. CISA / Help Net Security — CVE-2026-33634 exploitation alert (Mar 2026). https://www.helpnetsecurity.com/2026/03/27/cve-2026-33017-cve-2026-33634-exploited/ . Rating: A2
2. Microsoft Security Blog — Guidance for detecting, investigating, and defending against the Trivy supply chain compromise (24-Mar-2026). https://www.microsoft.com/en-us/security/blog/2026/03/24/detecting-investigating-defending-against-trivy-supply-chain-compromise/ . Rating: B2
3. Unit 42 (Palo Alto Networks) — Weaponizing the Protectors: TeamPCP’s Multi-Stage Supply Chain Attack on Security Infrastructure. https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/ . Rating: B2
4. SANS Institute — When the Security Scanner Became the Weapon: Inside the TeamPCP Supply Chain Campaign. https://www.sans.org/blog/when-security-scanner-became-weapon-inside-teampcp-supply-chain-campaign . Rating: B2
5. SANS ISC — Update 007: Cisco Source Code Stolen via Trivy-Linked Breach, GTIG Tracks TeamPCP as UNC6780. https://isc.sans.edu/diary/TeamPCP+Supply+Chain+Campaign+Update+007+Cisco+Source+Code+Stolen+via+TrivyLinked+Breach+Google+GTIG+Tracks+TeamPCP+as+UNC6780+and+CISA+KEV+Deadline+Arrives+with+No+Standalone+Advisory/32880 . Rating: B2
6. SANS ISC — Update 008: 26-Day Pause Ends with Checkmarx KICS, Bitwarden CLI Cascade, xinference PyPI, CanisterSprawl npm Worm. https://isc.sans.edu/diary/TeamPCP+Supply+Chain+Campaign+Update+008+26Day+Pause+Ends+with+Three+Concurrent+Compromises+Checkmarx+KICS+Bitwarden+CLI+Cascade+xinference+PyPI+CanisterSprawl+npm+Worm+Identified+and+Tier+1+Coverage+Returns/32926 . Rating: B2
7. Arctic Wolf — TeamPCP Supply Chain Attack Campaign Targets Trivy, Checkmarx (KICS), and LiteLLM. https://arcticwolf.com/resources/blog/teampcp-supply-chain-attack-campaign-targets-trivy-checkmarx-kics-and-litellm-potential-downstream-impact-to-additional-projects/ . Rating: B2
8. Kaspersky — Trojanization of Trivy, Checkmarx, and LiteLLM solutions. https://www.kaspersky.com/blog/critical-supply-chain-attack-trivy-litellm-checkmarx-teampcp/55510/ . Rating: B2
9. Cato Networks — TeamPCP: Supply Chain Attack Targets Trivy, KICS GitHub Action, and LiteLLM. https://www.catonetworks.com/blog/teampcp-supply-chain-attack/ . Rating: C2
10. Endor Labs — TeamPCP Isn’t Done: LiteLLM’s 95 Million Monthly Downloads Hit. https://www.endorlabs.com/learn/teampcp-isnt-done . Rating: C2
11. GitGuardian — Trivy’s March Supply Chain Attack Shows Where Secret Exposure Hurts Most. https://blog.gitguardian.com/trivys-march-supply-chain-attack-shows-where-secret-exposure-hurts-most/ . Rating: C2
12. Halcyon — Trivy Supply Chain Compromise Enters Extortion Phase as Vect Ransomware Publishes First Victim. https://www.halcyon.ai/ransomware-alerts/trivy-supply-chain-compromise-enters-extortion-phase-as-vect-ransomware-publishes-first-victim . Rating: C2
13. SOCRadar — Dark Web Profile: TeamPCP. https://socradar.io/blog/dark-web-profile-teampcp/ . Rating: C2
14. Cyble — TeamPCP Threat Actor Profile. https://cyble.com/threat-actor-profiles/teampcp/ . Rating: C3
15. Flare — Threat Alert: TeamPCP, An Emerging Force in the Cloud Native and Ransomware Landscape. https://flare.io/learn/resources/blog/teampcp-cloud-native-ransomware . Rating: C3
16. The Hacker News — TeamPCP Worm Exploits Cloud Infrastructure to Build Criminal Infrastructure (Feb 2026). https://thehackernews.com/2026/02/teampcp-worm-exploits-cloud.html . Rating: C2
17. Malpedia (Fraunhofer FKIE) — TeamPCP actor entry. https://malpedia.caad.fkie.fraunhofer.de/actor/teampcp . Rating: B2
18. Dark Reading — TeamPCP Turns Cloud Infrastructure Into Crime Bots. https://www.darkreading.com/cloud-security/teampcp-cloud-infrastructure-crime-bots . Rating: C2
19. The Next Web — European Commission breached after hackers poisoned open-source security tool Trivy. https://thenextweb.com/news/european-commission-breach-trivy-supply-chain . Rating: C3
20. Wiz Cloud Threat Landscape — TeamPCP. https://threats.wiz.io/all-actors/teampcp . Rating: C2