FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials
11 hours ago
- #Credential Theft
- #Software Supply Chain Attack
- #FBI Alert
- FBI issued a FLASH alert about the TeamPCP criminal group on July 2, 2026, detailing its large-scale software supply chain attacks targeting developer and security tools to steal credentials.
- TeamPCP compromised tools including Trivy, KICS, LiteLLM, and Telnyx Python SDK by injecting malicious code into legitimate packages, which were then distributed through normal channels and pulled into CI/CD pipelines.
- The group deployed four malware families: CanisterWorm, SANDCLOCK, Mini Shai-Hulud, and Miasma, harvesting cloud tokens, API keys, Kubernetes secrets, and cryptocurrency data, with worms spreading autonomously across npm and PyPI registries.
- Attack methods included exploiting stale recovery email domains to hijack npm maintainer accounts, using password resets to publish malicious package versions.
- FBI warns that stolen credentials and data are permanently compromised and may be reused in future attacks, even long after the initial breach, with extortion and collaboration among threat actors.
- Recommendations include pinning GitHub Actions to verified SHA hashes, rotating CI/CD secrets, enforcing least-privilege permissions, requiring phishing-resistant MFA, and auditing npm accounts for outdated recovery emails.
- Associated indicators include four CVEs, six IP addresses, 27 file hashes, and domains like checkmarx[.]zone, with affected organizations advised to report incidents to FBI or IC3 and retain logs and evidence.