Security Intelligence
Loading table of contents...
At a glance: A coordinated supply chain campaign by TeamPCP is actively compromising open-source ecosystems by leveraging stolen developer credentials to publish malicious packages. Recent incidents involving Telnyx, LiteLLM, Trivy, and KICS demonstrate how attackers can infiltrate trusted repositories and silently propagate malware into production environments via automated dependency updates. Organizations relying on unpinned packages and exposed CI/CD pipelines face heightened risk of credential theft, unauthorized access, and widespread compromise.
Threat summary
Following our previous blog on how TeamPCP used stolen credentials to compromise a Trivy security tool and gain access to downstream developer environments, the campaign has now expanded across multiple opensource ecosystems.
Their recent activity makes it clear that the Trivy compromise was only the opening phase of a broader, coordinated supply chain operation.
TeamPCP, also tracked as DeadCatx3, CanisterWorm, PCPcat, PersyPCP, and ShellForce, is a cloud‑focused cybercriminal group known for large‑scale, automated exploitation of open‑source ecosystems. Their operations rely on harvesting credentials from developer systems, continuous integration runners, and exposed cloud services, then using those credentials to poison additional repositories. Their campaigns span GitHub Actions, Docker Hub, PyPI, NPM, and other distribution channels.
The latest development occurred on March 27, 2026, when the threat actors used valid publishing credentials to push malicious Telnyx releases to the Python Package Index. The second-stage payload was hidden inside a WAV audio file, helping it evade detection. The code executed on import, and automated build systems that installed the latest version spread the malware into production environments.
This attack followed TeamPCP’s compromise of LiteLLM on March 24, 2026. Investigators concluded that the Telnyx publishing token was likely collected during that intrusion. Earlier, TeamPCP compromised Trivy and Checkmarx KICS, harvesting environment variables, shell histories, cloud credentials, and GitHub tokens from developer systems. The group then used those stolen credentials to compromise additional packages, demonstrating a multi‑ecosystem propagation strategy.
Analysis
By compromising upstream packages, TeamPCP gains access to any environment that installs updates automatically. Each intrusion yields new credentials, which the group then uses to break into more repositories and continue expanding the campaign.
TeamPCP bypassed defenses by using valid publishing credentials, making their malicious releases appear legitimate in trusted registries. Their malware executed automatically during installation or import, leaving little opportunity for detection. Automated build systems that install the latest package versions helped the compromised code spread quickly into production environments.
This campaign reflects a clear shift toward supply chain attacks aimed directly at developer ecosystems and automation infrastructure. The compromises of Trivy, KICS, LiteLLM, and Telnyx show how TeamPCP is moving across ecosystems to maximize reach with minimal effort.
For development teams, this raises the risk of credentials leaking across environments, unauthorized access to cloud resources, and lateral movement through build and deployment systems.
Altogether, it highlights the need for stronger controls around dependency updates and publishing workflows.
- Remove compromised versions of affected packages and reinstall verified releases.
- Rotate all secrets on systems where any compromised package was installed, including SSH keys, cloud credentials, and API keys.
- Enforce version pinning in CI pipelines and IaC workflows to prevent unauthorized dependency updates.
- Use scoped tokens and multi‑factor authentication for package publishing to limit the impact of credential theft.
- Monitor for unexpected outbound connections to raw IP addresses and for unauthorized binaries appearing in Startup directories or temporary folders.
- Review build systems, developer endpoints, and automation pipelines for unauthorized changes, persistence mechanisms, or unusual package installation activity.
- Use isolated build environments and restrict network access during dependency installation to reduce exposure to malicious upstream packages.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
