Comprehensive Threat Exposure Management Platform
Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the Report Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the ReportTeamPCP is a cloud-focused threat group that has been active since at least late 2025, focusing on software supply-chain attacks targeting widely used open-source security tools and developer infrastructure. The TeamPCP threat actor operations show strong technical knowledge of CI/CD pipelines, container platforms, and distributed cloud environments. Before shifting to supply-chain attacks, TeamPCP carried out a large worm-based campaign in December 2025, scanning for exposed Docker APIs, Kubernetes clusters, Redis servers, and Ray dashboards, compromising more than 60,000 servers worldwide, most hosted on Microsoft Azure and Amazon Web Services. The compromised infrastructure was used for proxy networks, scanning operations, cryptomining, ransomware, and data extortion. In March 2026, the TeamPCP group launched a new campaign that began with a single improperly rotated credential, quickly spreading across multiple developer platforms including GitHub Actions, Docker Hub, npm, OpenVSX, and PyPI, exploiting trust relationships between these ecosystems to move laterally and expand reach across Docker APIs, Kubernetes clusters, and CI/CD pipelines worldwide with primary focus on Iran.
TeamPCP is a cloud-focused threat group that has been active since at least late 2025. The TeamPCP group focuses on software supply-chain attacks, targeting widely used open-source security tools and developer infrastructure. The TeamPCP operations show strong technical knowledge of CI/CD pipelines, container platforms, and distributed cloud environments, demonstrating sophisticated understanding of modern DevOps toolchains and software development workflows.
Before shifting to supply-chain attacks, TeamPCP carried out a large worm-based campaign in December 2025. The TeamPCP group scanned for exposed Docker APIs, Kubernetes clusters, Redis servers, and Ray dashboards, compromising more than 60,000 servers worldwide. Most of the TeamPCP-affected systems were hosted on Microsoft Azure and Amazon Web Services. The compromised infrastructure was used for proxy networks, scanning operations, cryptomining, ransomware, and data extortion, demonstrating the broad financial motivations of the TeamPCP threat actor.
In March 2026, the TeamPCP group launched a new campaign that began with a single improperly rotated credential. This initial access quickly spread across multiple developer platforms, including GitHub Actions, Docker Hub, npm, OpenVSX, and PyPI. The TeamPCP attackers exploited trust relationships between these ecosystems to move laterally and expand their reach across the software supply chain infrastructure.
One of the most significant TeamPCP incidents involved the compromise of the widely used LiteLLM Python package. Malicious versions of the package were uploaded to PyPI and included an information-stealing component designed to collect sensitive data from infected systems. The TeamPCP group also targeted other developer tools, including security scanners, by inserting credential-harvesting code into automated workflows, turning security tools into attack vectors.
The malware used in these TeamPCP attacks focused on extracting secrets directly from CI runner memory. When a compromised workflow ran, the TeamPCP malware captured GitHub personal access tokens and other credentials from active processes. If those credentials had write access to additional repositories, the TeamPCP attackers used them to inject malicious code into other projects. This created a chain reaction in which one compromised component enabled the compromise of several more across the software supply chain.
In parallel, TeamPCP deployed malicious scripts against Kubernetes environments. Systems located in certain regions, particularly Iran, were wiped, while others were infected with a backdoor that allowed long-term remote control. This selective behavior showed that the TeamPCP group was capable of tailoring attacks based on geographic or operational targets, demonstrating both destructive and espionage capabilities.
TeamPCP’s main strength is not the discovery of new vulnerabilities but the speed and automation with which they exploit existing ones. By chaining together trusted developer services across multiple ecosystems, the TeamPCP threat actors were able to move from one compromised credential to widespread supply-chain damage in less than a week. The TeamPCP use of decentralized infrastructure for command-and-control further complicates detection and takedown efforts, making this campaign both technically advanced and difficult to contain.
A core weakness exploited in the TeamPCP attacks was reliance on mutable version tags and unverified third-party actions. TeamPCP attackers replaced legitimate tags with malicious code, which was automatically executed by downstream pipelines. All external dependencies, GitHub Actions, packages, and container images must be pinned to immutable commit hashes or digests rather than version tags. Verification of publisher identity and code provenance should be treated as a baseline requirement rather than an optional hardening step to defend against TeamPCP-style supply chain attacks.
TeamPCP leveraged trusted automation tools, such as Trivy and KICS, to deliver malware. This reflects a broader pattern in modern supply-chain attacks where security tools themselves become attack vectors. Organizations should minimize reliance on external actions where equivalent functionality can be implemented internally and maintain an allow-list of approved CI components. Every new dependency introduced into a pipeline should undergo code review and risk assessment before adoption to prevent TeamPCP supply chain compromise.
CI runners often operate with broad permissions and access to sensitive credentials. TeamPCP exploited this by extracting secrets directly from the runner memory. Build environments should be treated as high-risk execution zones and isolated accordingly. Ephemeral runners, network egress restrictions, and least-privilege permission models reduce the blast radius if a pipeline is compromised by TeamPCP malware. Access to cloud resources from build systems should be limited to scoped, temporary identities rather than permanent credentials.
The TeamPCP campaign spread across multiple ecosystems, GitHub, npm, PyPI, and container registries within days, demonstrating how modern software supply chains are deeply interconnected. Security reviews must extend beyond source code to include package registries, build pipelines, artifact repositories, and deployment environments. Maintaining a complete inventory of dependencies and generating a software bill of materials (SBOM) enables faster identification of affected systems when upstream compromises like TeamPCP occur.
Initial Access:
Execution:
Persistence:
Privilege Escalation:
Defense Evasion:
Credential Access:
Discovery:
Lateral Movement:
Collection:
Command and Control:
Exfiltration:
Impact:
Get through updates and upcoming events, and more directly in your inbox