Hasty Briefsbeta

Bilingual

FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials

11 hours ago
  • #Credential Theft
  • #Software Supply Chain Attack
  • #FBI Alert
  • FBI issued a FLASH alert about the TeamPCP criminal group on July 2, 2026, detailing its large-scale software supply chain attacks targeting developer and security tools to steal credentials.
  • TeamPCP compromised tools including Trivy, KICS, LiteLLM, and Telnyx Python SDK by injecting malicious code into legitimate packages, which were then distributed through normal channels and pulled into CI/CD pipelines.
  • The group deployed four malware families: CanisterWorm, SANDCLOCK, Mini Shai-Hulud, and Miasma, harvesting cloud tokens, API keys, Kubernetes secrets, and cryptocurrency data, with worms spreading autonomously across npm and PyPI registries.
  • Attack methods included exploiting stale recovery email domains to hijack npm maintainer accounts, using password resets to publish malicious package versions.
  • FBI warns that stolen credentials and data are permanently compromised and may be reused in future attacks, even long after the initial breach, with extortion and collaboration among threat actors.
  • Recommendations include pinning GitHub Actions to verified SHA hashes, rotating CI/CD secrets, enforcing least-privilege permissions, requiring phishing-resistant MFA, and auditing npm accounts for outdated recovery emails.
  • Associated indicators include four CVEs, six IP addresses, 27 file hashes, and domains like checkmarx[.]zone, with affected organizations advised to report incidents to FBI or IC3 and retain logs and evidence.