Threat Research Center High Profile Threats Malware Malware Weaponizing the Protectors: TeamPCP’s Multi-Stage Supply Chain Attack on Security Infrastructure 14 min read Related Products Advanced DNS Security Advanced URL Filtering Advanced WildFire Cloud-Delivered Security Services Cortex Cortex Cloud Cortex XDR Cortex Xpanse Cortex XSIAM Unit 42 Cloud Security Assessment Unit 42 Incident Response By: Unit 42 Published: March 31, 2026 Categories: High Profile Threats Malware Tags: CVE-2025-55182 GitHub Infostealer Python Supply chain Wiper Share Executive Summary Between late February and March 2026, threat group TeamPCP conducted a highly calculated, escalating sequence of supply chain threats. It systematically compromised widely trusted open-source security tools, including the vulnerability scanners Trivy and KICS and the popular AI gateway LiteLLM . The affected software also includes the official Python SDK of Telnyx. These ongoing supply chain attacks injected malicious infostealer payloads directly into GitHub Actions and Python Package Index (PyPI) registries. Once executed during routine automated workflows, the malware silently extracts highly sensitive data, such as: Cloud access tokens SSH keys Kubernetes secrets These attacks also establish persistent backdoors for lateral movement across clusters. The affected software includes: BerriAI LiteLLM , an open-source library used to route requests across LLM providers (its documentation states it has over 95 million monthly downloads) Aqua Security Trivy and Checkmarx KICS (Keeping Infrastructure as Code Secure), which are embedded in millions of enterprise CI/CD pipelines The widely used official Python SDK of Telnyx, a global communications platform providing programmable APIs for voice and messaging Attackers are believed by sources such as vx-underground to have already exfiltrated data from 500,000 infected machines over 300 GB of data and secrets from 500,000 machines, exposing major organizations across all business verticals to severe follow-on attacks. Unlike past supply chain attacks, this operation explicitly weaponizes security and developer infrastructure that inherently require elevated privileges. This allows attackers unimpeded access to production secrets. They then have the ability to hold compromised organizations for ransom, demanding extortion payments. The current scope of the attack is significant: Scale of impact : The actor may have exfiltrated over 300 GB of data and 500,000 credentials, including cloud tokens and Kubernetes secrets. Breadth of compromise : Beyond the primary targets, TeamPCP leveraged harvested tokens to infect 48 additional packages. It identified and published at least 16 victim organizations via public leak sites. Sophistication : The attackers introduced CanisterWorm, which includes both a decentralized command-and-control (C2) architecture and targeted wiper components. This demonstrates an evolving technique pattern focused on cloud-native operations. As of March 27, Palo Alto Networks Cortex Xpanse has identified the presence of three unique self-signed certificates associated with the three waves of operations. Palo Alto Networks customers are better protected from the threats described in this article through the following products and services: Cortex XDR and XSIAM Cortex Cloud Cortex Xpanse Cortex Agentix Threat Intel Agent Palo Alto Networks also recommends taking steps to identify vulnerable packages and harden CI/CD policies, as described in the Interim Guidance section. The Unit 42 Cloud Security Assessment is an evaluation service that reviews cloud infrastructure to identify misconfigurations and security gaps. The Unit 42 Incident Response team can also be engaged to help with a compromise or to provide a proactive assessment to lower your risk. Current Scope of the Supply Chain Attack TeamPCP (aka PCPcat, ShellForce, DeadCatx3) has conducted operations dating back to at least September 2025. The group gained notoriety in December 2025, in the wake of the massive React2Shell campaign that targeted cloud environments. That campaign exploited the React2Shell vulnerability (CVE-2025-55182), allowing the group to leverage remote code execution (RCE) within vulnerable cloud endpoints. During these operations, the group's most notable detection artifact, alongside the more well known React2Shell exploit indicators, was using the port number 666 for nearly all of its exploitation operations. The group’s trajectory has rapidly evolved. While the group initially focused on ransomware , it also has roots in cryptocurrency mining and cryptocurrency theft. The group has more recently shifted toward smash and grab supply chain compromise operations starting in mid March 2026. Recently, the group's rate of activity has increased. It’s increased posting on its Telegram channel as well as on its dark web leak site. Its more recent announcements state that the group is combining forces with CipherForce , another ransomware group, to publish information on breaches. Additionally, it was announced on BreachForums — a forum for cybercriminals to discuss hacking topics and data breaches — that the group is partnering with Vect ransomware group, as shown in Figure 1. Figure 1. Screenshot of BreachForums announcement. This partnership is likely to allow TeamPCP to concentrate on supply chain operations. As of late March, TeamPCP announced the compromise of at least 16 organizations, as shown in Figure 2. Figure 2. Screenshot of the CipherForce ransomware data leak site. Aqua Security Trivy This latest campaign started on March 19, 2026, when TeamPCP leveraged an incomplete credential rotation following a minor breach in late February within the Aqua Security Trivy GitHub repository. TeamPCP compromised the aqua-bot service account and executed an imposter commit attack. This resulted in the force-push of malicious code to 76 of 77 version tags in the aquasecurity/trivy-action repository and all tags in aquasecurity/setup-trivy . This initial wave introduced the TeamPCP primary payload, called TeamPCP cloud stealer. It performed its actions through the kamikaze.sh script, which evolved into three distinct versions: Version 1 - Monolithic Architecture : A 150-line bash script focused on environment fingerprinting and immediate credential harvesting from AWS/GCP/Azure credentials using the compromised endpoint’s instance metadata service (IMDS). It bypassed GitHub’s secret masking by reading the runner.worker process memory directly via /proc/<pid>/mem to extract plaintext tokens. Version 2 - Modular Architecture : Two hours after the first release of v1, TeamPCP replaced the first script with a slim 15-line loader script. This version used a pull method to download a second-stage payload called kube.py . This allowed the actors to update the payload without having to re-poison the GitHub tags. Version 2 also introduced a self-deletion command rm – “$0” to remove itself after execution. Version 3 - The Worm and Wiper : In this final known version, the script evolved into malware with self-replication capabilities in a campaign called CanisterWorm. We will cover CanisterWorm in more detail below . Version 3 enabled the scanning of exposed Docker APIs, port 2375 and the local subnet. It also enabled harvesting SSH keys. This operation was uniquely deceptive. For example, the malicious code ran before the legitimate Trivy scan logic could execute, while simultaneously allowing the legitimate scanner to continue operations. This allowed scanning operations to return a normal operational status, while behind the scenes, the malware was silently exfiltrating data to the typosquatted domain scan.aquasecurtiy[.]org . If the primary C2 server failed, the payload used the backup domain tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0[.]io . Additionally, using npm publishing tokens harvested during the initial Trivy wave of compromises, TeamPCP actors initiated an automated script that identified and infected 47 additional packages across the @emilgroup , @opengov and @v7 namespaces. All reports indicate that these operations took place in under 60 seconds. The infection was achieved by injecting a malicious pre-install or post-install script within the package.json file of each library. This ensured that the TeamPCP cloud stealer payload executed immediately upon a developer or continuous integration/continuous delivery (CI/CD) runner performing an npm install containing any of these poisoned npm packages. A CI/CD runner is a lightweight agent or application that executes software pipeline jobs. This wave focused heavily on a technique called software development kit (SDK)-squatting, targeting internal development kits for billing, insurance and accounting services. This maximized the likelihood of the malware landing in high-privilege corporate environments. Each infected package acted as a new telemetry node, performing environment fingerprinting and attempting to exfiltrate data from local .env files and AWS/Azure configuration directories back to the group's C2 infrastructure. This effectively turned a single vendor breach into a systemic and potentially widespread supply chain risk for any downstream consumers of these private and public SDKs. Checkmarx KICS Following the initial compromise of Aqua Security Trivy, on March 21, 2026, TeamPCP used stolen GitHub Personal Access Tokens (PATs) to target Checkmarx KICS. KICS is an open-source infrastructure-as-code (IaC) scanner. The attackers force-pushed malicious commits to all 35 version tags of the checkmarx/kics-github-action repository and poisoned version 2.3.28 of checkmarx/ast-github-action . Technically, the operation subverted the official container entrypoint setup.sh and instead injected a three-stage payload called TeamPCP cloud stealer. This payload has similar functionality to the Trivy wave payload. To avoid manual detection, the malware exfiltrated stolen data to the