Full Report
A supply chain attack by TeamPCP compromised trusted software tools to harvest credentials at scale, enabling payroll fraud, logistics theft, and ransomware extortion.
Analysis Summary
# Incident Report: TeamPCP Multi-Ecosystem Supply Chain Attack
## Executive Summary
In March 2026, the threat actor group TeamPCP executed a high-velocity supply chain attack by compromising trusted developer tools including LiteLLM, Checkmarx, and Aqua Security's Trivy. By injecting credential-harvesting malware into software repositories and GitHub Actions, the group cascaded through five ecosystems in five days. The incident resulted in the theft of cloud keys, AI API secrets, and over 300 GB of data, enabling downstream fraud, extortion, and ransomware attacks.
## Incident Details
- **Discovery Date:** March 2026
- **Incident Date:** February 2026 – March 2026
- **Affected Organization:** Multiple (including LiteLLM, Checkmarx, Aqua Security)
- **Sector:** Software Development, Cybersecurity, AI Services
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Late February 2026
- **Vector:** Stolen Developer Credentials
- **Details:** TeamPCP exploited stolen GitHub credentials/tokens (likely from infostealer logs) to gain write access to Aqua Security’s Trivy infrastructure.
### Lateral Movement
- **Movement:** Using "incomplete credential rotation" from the Trivy breach, attackers moved into GitHub Actions workflows. They poisoned two Checkmarx GitHub Actions and compromised the LiteLLM Python package on PyPI. From there, they moved across Docker Hub, VS Code extensions, and PyPI ecosystems within a five-day window.
### Data Exfiltration/Impact
- **Impact:** Injected malware "vacuumed up" access keys, cloud credentials, and AI API keys managed by LiteLLM. Over 300 GB of data was reportedly stolen.
### Detection & Response
- **Discovery:** Analysts observed malicious code injections and identified connections to TeamPCP-controlled "lookalike" domains.
- **Response:** Public disclosures by affected vendors (Checkmarx, Microsoft, Aqua Security); rotation of compromised tokens; security advisories issued to the developer community.
## Attack Methodology
- **Initial Access:** Exploitation of stolen valid credentials (publishing tokens/SSH keys).
- **Persistence:** Injection of malicious code into trusted software repositories and CI/CD pipelines (GitHub Actions).
- **Privilege Escalation:** Use of high-privilege repository maintainer tokens.
- **Defense Evasion:** Use of lookalike domains for C2; operating within trusted, signed software updates; exploiting incomplete incident cleanups (residual access).
- **Credential Access:** Credential-harvesting payloads targeting environment variables, secrets, and API keys.
- **Discovery:** Automated scanning of compromised environments for cloud and AI service keys.
- **Lateral Movement:** "Cascading" supply chain pivoting; using credentials from one platform to access another.
- **Collection:** Gathering cloud provider keys (AWS/Azure/GCP) and AI API secrets.
- **Exfiltration:** Encrypted data pushed to attacker-controlled lookalike domains.
- **Impact:** Ransomware extortion (300 GB data threat), payroll redirection, and logistics/freight rerouting.
## Impact Assessment
- **Financial:** High potential for loss due to payroll fraud and ransomware demands.
- **Data Breach:** Over 300 GB of internal data and over 1 million compromised developer credentials circulating.
- **Operational:** Disruption to CI/CD pipelines; forced mass credential rotations for thousands of downstream users.
- **Reputational:** Significant damage to "trusted" open-source packages and security vendors.
## Indicators of Compromise
- **Network:** Exfiltration to lookalike domains (e.g., `checkmarx-api[.]com` - *simulated defanged example*)
- **File:** Malicious GitHub Action YAML files; poisoned `litellm` Python package versions.
- **Behavioral:** Unauthorized commits to repo main branches; sudden spike in API key usage from anomalous IPs.
## Response Actions
- **Containment:** Removal of malicious packages from PyPI and Docker Hub; disabling compromised GitHub Actions.
- **Eradication:** Revocation of all developer tokens and service account keys associated with the affected repositories.
- **Recovery:** Restoration of known-good code versions; implementation of mandatory MFA for package maintainers.
## Lessons Learned
- **The "Residual Access" Trap:** Incomplete incident response (failing to rotate all tokens) allowed the attackers to return and expand their reach.
- **Trust as an Attack Surface:** Organizations often trust the tools meant to secure them (like Checkmarx or Trivy), creating a blind spot.
- **Identity is the Perimeter:** Traditional network security is ineffective when attackers use valid developer session tokens.
## Recommendations
- **Credential Hygiene:** Implement strict, short-lived token lifetimes and automate rotation for all CI/CD secrets.
- **Software Integrity:** Use cryptographic signing for all commits and pin dependencies to immutable versions (hashes) rather than version numbers.
- **Anomaly Detection:** Deploy AI-driven monitoring to detect unusual code commits or secret exfiltration patterns in CI/CD environments.
- **Third-Party Due Diligence:** Continuous monitoring of third-party vendors for breach indicators rather than relying on annual questionnaires.