Threat Intel - TeamPCP Expands OSS Compromise Campaign

The Threat

The TeamPCP hacking group has significantly broadened its attack vector, moving from the Trivy supply chain incident to targeting multiple open-source platforms, including Docker Hub, VS Code, NPM, and PyPI. Initially, the attack began with a compromised access token for Aqua Security's Trivy vulnerability scanner in late February. The hackers exploited this access to push malicious code into various repositories, leading to widespread credential theft and data exfiltration. This operation has been linked to the notorious Lapsus$ gang, suggesting a collaboration aimed at monetizing these attacks.

The Trivy attack, now tracked as CVE-2026-33634, involved modifying GitHub Actions tags to introduce malware without altering the visible tag names. This stealthy approach allowed the attackers to infiltrate over 10,000 CI/CD workflows, executing malicious code that harvested sensitive data from compromised systems. The attack's sophistication highlights the need for enhanced security measures in CI/CD environments.

Who's Behind It

TeamPCP, also known by aliases like DeadCatx3 and ShellForce, has a history of exploiting vulnerabilities in popular software systems. Their previous campaigns have included worm-driven attacks targeting Docker and Kubernetes. The recent escalation into open-source software attacks marks a new chapter in their operations, revealing their capability to adapt and evolve their tactics. The collaboration with Lapsus$ emphasizes the potential for greater impact and financial gain through coordinated efforts.

As the attacks unfolded, TeamPCP's methods evolved, utilizing compromised credentials to push malware across various platforms. The group's ability to modify tags and inject malicious code into legitimate repositories underscores the vulnerabilities present in open-source ecosystems, making them attractive targets for cybercriminals.

Tactics & Techniques

The tactics employed by TeamPCP are alarming. They have demonstrated a clear understanding of the CI/CD pipeline, leveraging known vulnerabilities to compromise repositories. By using read/write access tokens, they were able to inject malware into at least 64 unique NPM packages and various VS Code plugins. The malware, dubbed CanisterWorm, not only steals credentials but also propagates itself through infected packages, creating a cycle of compromise that could affect countless users.

Moreover, the group's use of modified GitHub Action tags to reference malware without visible changes is particularly concerning. This method allows them to operate under the radar, making detection difficult. The integration of a wiper component targeting specific geographic regions, such as Iran, indicates a willingness to escalate their operations beyond mere data theft to potentially disruptive actions.

Defensive Measures

Organizations must take immediate action to protect themselves from these evolving threats. It is crucial to implement strict credential management practices, including the rotation of access tokens and secrets. Regular audits of CI/CD environments can help identify any unauthorized changes or compromises.

Additionally, employing comprehensive repository protection measures is essential. This includes monitoring for unusual activity, such as modified tags or unexpected pull requests. Organizations should also educate their teams about the risks associated with third-party dependencies and the importance of maintaining a secure software supply chain.

As the TeamPCP campaign continues to evolve, staying informed about the latest threats and implementing robust security measures will be key to mitigating risks associated with open-source software vulnerabilities.