FBI says TeamPCP poisoned trusted developer tools to steal cloud credentials, spread malware through software updates, and extort victims.
On July 2, 2026, the FBI published a FLASH alert identifying the criminal group called TeamPCP and detailing how it compromised widely used developer and security tools to steal credentials from victim environments at scale. The targets weren’t end users. They were the tools developers trust every day inside their build pipelines.
TeamPCP is behind multiple supply chain attacks, in the past, they targeted PyPI packages and NPM repositories, and most recently the “Mini Shai-Hulud” campaign also caught two OpenAI employees. The pattern is consistent: go after the tools developers trust, poison the supply chain, and let the downstream damage multiply.
TeamPCP’s method was straightforward and effective: inject malicious code into legitimate software packages, push the trojanized versions through normal distribution channels, and wait for CI/CD pipelines to pull them in automatically. The modified tools installed credential-stealing malware and persistent backdoors without any visible sign that anything had changed.
“TeamPCP actors have conducted large-scale software supply chain compromises by targeting widely used developers and security tools, gaining access to victim environments and extracting sensitive data, including but not limited to cloud access tokens, SSH keys, and Kubernetes secrets.” FBI’s FLASH states.
The confirmed list of modified tools includes Trivy, a widely used container vulnerability scanner; KICS, a static analysis tool for infrastructure-as-code; LiteLLM, a popular library for routing requests across AI model APIs; and the Telnyx Python SDK.
These aren’t niche utilities. They’re commonly integrated into enterprise CI/CD pipelines, cloud infrastructure workflows, and security scanning processes. Hitting them means hitting a large number of organizations simultaneously through a single poisoned update.
The group also deployed four distinct malware families. CanisterWorm harvested cloud access tokens, credentials, and API keys for AWS, GCP, and Azure. SANDCLOCK extracted AWS credentials, Kubernetes ServiceAccount tokens, local environment variables, and cryptocurrency wallet data. Mini Shai-Hulud was a self-replicating worm designed to spread across both npm and PyPI registries. Miasma was a variant of Mini Shai-Hulud that propagated across those same open-source registries while harvesting credentials and poisoning configuration files.
The worm component is the part that deserves particular attention. Mini Shai-Hulud and its Miasma variant didn’t just infect the initial target and stop. They spread across open-source package registries autonomously, harvesting credentials and poisoning configuration files as they went. The FBI confirmed two GitHub repository names used for exfiltration: tpcp-docs and docs-tpcp. If either of those repository names appears in your GitHub organization, the worm created it using stolen credentials.
“By weaponizing these supply chain entry points, the threat actors were able to introduce malicious code into victim environments at scale. TeamPCP has also engaged in extortion and collaboration with cyber actors from other threat actor groups, including publishing victim names on a public leak site and threatening disclosure of stolen data.” states the alert.
The FBI warns that credentials and data stolen in this campaign should be considered permanently compromised, as they could be reused by TeamPCP or affiliated threat actors in future attacks, even months or years after the initial breach.
“Organizations impacted by this campaign should treat exfiltrated data and credentials as a persistent risk, as affiliated threat actors are likely to weaponize them long after the initial compromise.” concludes the alert.
That’s not a hypothetical. It means credentials stolen in this campaign may surface in attacks months or years from now, even after the immediate incident is closed.
How they got into npm accounts?
One technique the FBI specifically flags is worth calling out: TeamPCP exploited npm package maintainer accounts by targeting stale or expired recovery email domains. If a developer registered an npm account years ago with a work email that’s since been decommissioned, the domain may be available for registration. Whoever registers it can use the password reset flow to take over the npm account and publish malicious versions of whatever packages that maintainer owns. It’s an old technique, and it still works because nobody audits their old recovery emails.
The four CVEs associated with this campaign are CVE-2026-33634, CVE-2026-48027, CVE-2026-45321, and CVE-2025-55182. Six IP addresses appear in the indicators: 83.142.209.11, 45.148.10.212, 83.142.209.194, 83.142.209.203, 94.154.172.43, and 67.217.57.240. The indicator set also includes 27 file hashes and a set of domains including checkmarx[.]zone, models.litellm[.]cloud, git-tanstack[.]com, and recv.hackmoltrepeat[.]com, among others. The indicators in this alert are derived from Palo Alto Unit 42’s technical research into the campaign.
The FBI’s recommendations focus on the specific mechanisms TeamPCP exploited. Pin GitHub Actions workflows to verified commit SHA hashes rather than floating version tags, since floating tags can be redirected to point at malicious commits without changing the reference in your workflow file. Rotate all CI/CD secrets, publishing tokens, and cloud credentials that were accessible during the campaign’s active window. Enforce least-privilege permissions on CI/CD service accounts and scope registry publishing tokens to prevent them from being used across repositories.
Require phishing-resistant MFA on all accounts with code repository or package registry publishing access. Enforce a minimum package age threshold of at least seven days across package installation environments, which gives the community time to detect and report malicious versions before they propagate widely. Audit npm maintainer accounts for stale or expired recovery email domains. Implement runtime behavioral monitoring on CI/CD pipeline runners to catch unexpected outbound network connections.
On credential hygiene specifically: store secrets in dedicated encrypted secret managers, not in code or configuration files; prefer temporary credentials over static ones; rotate everything immediately after any suspected compromise; and scan repositories and logs for exposed secrets with automated tooling.
“TeamPCP has also engaged in extortion and collaboration with cyber actors from other threat actor groups, including publishing victim names on a public leak site and threatening disclosure of stolen data.” The FLASH concludes.
That collaboration angle means the stolen data has already been shared beyond the original group.
Organizations that believe they’ve been hit should report to their local FBI field office or to IC3 at ic3.gov, and should retain CI/CD pipeline logs, network logs, affected package names and versions, any exposed credentials, and any extortion communications they’ve received.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, TeamPCP)
