FBI Exposes TeamPCP: The Supply Chain Cyberattack That Turned Trusted Developer Tools Into Silent Weapons + Video

Listen to this Post

Featured ImageA New Era of Software Supply Chain Attacks

Modern software development depends on trust. Every day, millions of developers automatically download open source libraries, security scanners, SDKs, and infrastructure tools without questioning whether those packages are safe. Continuous Integration and Continuous Deployment (CI/CD) pipelines were designed to speed up software delivery, but that same automation has become one of the most dangerous attack surfaces in cybersecurity.

On July 2, 2026, the FBI released a FLASH alert revealing the activities of a sophisticated cybercriminal group known as TeamPCP. Instead of targeting individual users, the attackers infiltrated software packages that developers and security teams rely on every day. Once these poisoned packages entered enterprise environments, they silently stole credentials, deployed persistent malware, and opened backdoors capable of compromising cloud infrastructure on a massive scale.

This campaign represents one of the clearest examples of why software supply chain security has become one of the highest priorities for organizations worldwide. Rather than attacking thousands of companies individually, TeamPCP attacked the software ecosystem itself, allowing a single compromise to spread across countless organizations automatically.

FBI Details the TeamPCP Campaign

According to the FBI, TeamPCP has spent years refining supply chain attack techniques. Previous operations involved malicious packages uploaded to both PyPI and NPM, two of the world’s largest software package repositories.

The latest campaign continued that strategy but expanded its scope dramatically.

Instead of compromising users directly, TeamPCP modified legitimate developer tools that organizations already trusted inside their CI/CD pipelines. Once developers downloaded updated versions, the malware executed silently without raising immediate suspicion.

The result was a highly scalable attack capable of reaching thousands of organizations through routine software updates.

Trusted Security Tools Became Attack Vectors

One of the most alarming aspects of the campaign is the choice of targets.

Rather than attacking obscure utilities, TeamPCP compromised several widely adopted development and security products used throughout enterprise environments.

The confirmed compromised software included:

Trivy

KICS

LiteLLM

Telnyx Python SDK

These tools are frequently integrated into automated build systems, infrastructure scanning platforms, AI development environments, and cloud deployment workflows.

When organizations trust these applications, malicious updates can enter production environments almost instantly.

Instead of bypassing security controls, attackers simply became part of the trusted software delivery process.

The Supply Chain Becomes the Battlefield

Traditional cyberattacks often focus on exploiting vulnerable servers or phishing individual employees.

Supply chain attacks operate very differently.

The attacker compromises software before it reaches the victim.

When developers install or update the affected package, they unknowingly execute malicious code that appears completely legitimate.

Because these updates originate from trusted repositories, many organizations never suspect anything unusual.

This technique allows attackers to bypass conventional perimeter defenses, antivirus solutions, and even security scanners designed to detect suspicious downloads.

Four Malware Families Powered the Operation

The FBI identified four separate malware families deployed throughout the campaign.

CanisterWorm specialized in harvesting cloud authentication tokens, API keys, and credentials from AWS, Microsoft Azure, and Google Cloud Platform.

SANDCLOCK focused on extracting Kubernetes ServiceAccount tokens, AWS credentials, environment variables, and even cryptocurrency wallet information stored locally.

Mini Shai-Hulud introduced a far more dangerous capability.

Rather than infecting one machine, it behaved like a worm, automatically spreading through both NPM and PyPI ecosystems while stealing credentials and compromising additional software packages.

Its companion malware, Miasma, expanded the infection by poisoning configuration files and continuing the automated propagation process across open-source repositories.

This autonomous behavior transformed isolated compromises into large-scale ecosystem infections.

Why Mini Shai-Hulud Is Especially Dangerous

Unlike traditional malware that infects a single organization, Mini Shai-Hulud was engineered to replicate itself.

Once inside developer environments, it harvested credentials and used those stolen accounts to publish additional malicious packages.

Each newly infected repository became another launch point for future victims.

The FBI also confirmed GitHub repositories named tpcp-docs and docs-tpcp were used for data exfiltration.

If either repository unexpectedly appears inside an

That small detail provides an important forensic indicator for incident response teams.

Credentials Should Be Considered Permanently Compromised

Perhaps the

Cloud access tokens, SSH keys, Kubernetes secrets, publishing credentials, API keys, and service account tokens stolen during this campaign should never be considered safe again.

Even if attackers appear inactive today, stolen credentials may remain valuable for years.

Cybercriminal groups frequently sell stolen access on underground marketplaces, allowing unrelated threat actors to launch future attacks long after the original compromise has been resolved.

Organizations therefore cannot assume that closing one incident ends the risk.

How TeamPCP Hijacked NPM Maintainer Accounts

One of the

Many developers created NPM accounts years ago using corporate email addresses that later disappeared when companies changed domains or shut down.

If those abandoned domains become available for purchase, attackers can simply register them.

Once they control the domain, they receive password reset emails intended for the original account owner.

Without exploiting any software vulnerability, they gain complete control over legitimate NPM maintainer accounts and publish malicious package updates under trusted identities.

It is a remarkably simple attack that continues to succeed because organizations rarely audit recovery email addresses after employees leave or domains expire.

Indicators of Compromise

The FBI associated four publicly tracked vulnerabilities with this campaign:

CVE-2026-33634

CVE-2026-48027

CVE-2026-45321

CVE-2025-55182

Investigators also identified multiple malicious IP addresses, dozens of malware hashes, and several suspicious domains used throughout the operation.

These indicators originated from technical analysis performed by Palo Alto Networks Unit 42 and provide valuable resources for defenders conducting incident investigations.

Organizations should compare these indicators against historical logs, DNS activity, firewall records, cloud audit logs, and endpoint telemetry to determine whether any communication occurred during the campaign.

FBI Recommendations for Defenders

The FBI urges organizations to strengthen software supply chain security immediately.

Recommended defensive measures include:

Pin GitHub Actions workflows to verified commit SHA hashes instead of floating version tags.

Rotate every cloud credential, CI/CD secret, publishing token, and API key exposed during the campaign period.

Apply least-privilege permissions across CI/CD service accounts.

Require phishing-resistant multi-factor authentication for developers with publishing permissions.

Delay installation of newly published packages for at least seven days to allow the community to identify malicious releases.

Review all NPM maintainer accounts for outdated recovery email addresses.

Monitor CI/CD runners for unusual outbound network activity.

Store sensitive secrets inside dedicated encrypted secret management platforms rather than source code repositories.

Replace long-lived credentials with temporary authentication wherever possible.

Continuously scan repositories and logs for accidentally exposed secrets.

These recommendations address both the immediate threat posed by TeamPCP and broader weaknesses common across modern software development environments.

Extortion Added Another Layer of Risk

The FBI also disclosed that TeamPCP was not solely interested in espionage.

The group reportedly collaborated with additional cybercriminal organizations while operating public leak sites that threatened to publish stolen corporate information.

This means stolen data may already exist outside TeamPCP’s direct control.

Even if the original infrastructure disappears, affiliated groups may continue exploiting the compromised information for ransomware, extortion, credential stuffing, cloud intrusion, or future supply chain attacks.

The danger therefore extends well beyond the initial compromise.

Organizations Must Prepare for Long-Term Exposure

Companies that suspect they were affected should immediately preserve CI/CD logs, package installation histories, network telemetry, exposed credentials, and any communication related to extortion attempts.

The FBI encourages victims to report incidents through local FBI field offices or the Internet Crime Complaint Center (IC3).

Rapid reporting helps investigators correlate infrastructure, identify additional victims, and disrupt ongoing criminal operations before they expand further.

Software supply chain attacks are no longer rare incidents reserved for nation-state operations.

They have become a preferred weapon for financially motivated cybercriminal organizations capable of compromising thousands of targets with a single poisoned software update.

What Undercode Say:

The TeamPCP operation demonstrates a major shift in attacker priorities. Rather than spending months breaking into hardened enterprise networks, criminals now compromise the software ecosystem itself.

Software supply chain attacks offer extraordinary return on investment.

One successful package compromise can infect thousands of organizations automatically.

Developers have become one of the highest-value targets in cybersecurity.

Every API key stored locally becomes an opportunity.

Every forgotten GitHub token becomes an entry point.

Every CI/CD runner effectively becomes another privileged server.

The attack also highlights a dangerous assumption inside DevOps culture.

Automation is trusted.

Updates are trusted.

Repositories are trusted.

Attackers understand this psychology.

They exploit confidence rather than vulnerabilities.

Mini Shai-Hulud introduces another important lesson.

Self-propagating malware inside package registries creates exponential growth.

Each compromised maintainer account increases future infections.

Unlike ransomware, supply chain malware may remain invisible for months.

Organizations often discover these attacks only after credentials appear in unrelated breaches.

Recovery email auditing remains one of the most overlooked security practices.

Companies spend millions protecting production servers while forgotten developer accounts remain vulnerable through abandoned domains.

The recommendation to delay package installation for several days deserves serious attention.

Many organizations prioritize immediate updates.

Patience can become a security control.

Zero-day package adoption dramatically increases exposure.

Behavioral monitoring of CI/CD runners should become standard practice.

Outbound traffic analysis frequently detects compromise before endpoint antivirus.

Secret management also requires modernization.

Long-lived credentials should disappear wherever possible.

Short-lived cloud identities significantly reduce attacker persistence.

The campaign further demonstrates how AI development tools have become attractive attack surfaces.

Libraries supporting machine learning workflows now represent high-value infrastructure.

Open source remains indispensable.

Yet trust can no longer be unconditional.

Package signing, provenance verification, reproducible builds, and Software Bills of Materials (SBOMs) will likely become mandatory rather than optional.

Organizations that continue relying solely on perimeter defenses are defending yesterday’s battlefield.

The software supply chain is now the front line.

Security teams must treat every dependency as potentially hostile until verified.

Continuous verification must replace continuous trust.

Deep Analysis

Below are useful commands for investigating Linux, Windows, and macOS systems for indicators related to supply chain compromise.

Linux

history
cat ~/.bash_history
env
printenv
find ~/.ssh -type f
ls -la ~/.kube
cat ~/.gitconfig
git config --list
systemctl list-units --type=service
journalctl -xe
ss -tunap
lsof -i
find / -name ".pem" 2>/dev/null
find / -name ".key" 2>/dev/null
Windows
whoami
hostname
ipconfig /all
netstat -ano
tasklist
Get-ChildItem Env:
Get-History
Get-Service
Get-Process
Get-ChildItem $HOME.ssh
git config --list
macOS
whoami
scutil --get ComputerName
launchctl list
netstat -an
lsof -i
security find-generic-password
defaults read ~/.gitconfig
find ~/.ssh
log show --last 24h

GitHub Security

git log
git remote -v
git config --global --list
gh auth status
gh secret list
Kubernetes
kubectl config view
kubectl get secrets --all-namespaces
kubectl get serviceaccounts --all-namespaces
kubectl auth can-i --list

Cloud Credential Checks

aws configure list
aws sts get-caller-identity
gcloud auth list
az account show

✅ Fact: The FBI officially published a FLASH alert on July 2, 2026, identifying TeamPCP and documenting multiple software supply chain compromises. The warning specifically describes credential theft, malware deployment, and attacks against trusted developer tools.

✅ Fact: The campaign targeted widely used developer utilities including Trivy, KICS, LiteLLM, and the Telnyx Python SDK. These are legitimate tools commonly integrated into enterprise CI/CD pipelines, making the attacks especially impactful.

✅ Fact: The FBI recommends immediate credential rotation, phishing-resistant MFA, least-privilege access, package age delays, and auditing stale recovery email domains. These recommendations align with current software supply chain security best practices and reflect lessons learned from recent ecosystem attacks.

Prediction

(+1) Software repositories will increasingly require cryptographic package signing, stronger maintainer identity verification, and mandatory provenance validation before releases become publicly available.

(-1) Cybercriminal groups are likely to expand similar attacks into AI frameworks, container registries, infrastructure-as-code platforms, and cloud automation tools, making software supply chain attacks more frequent and significantly harder to detect.

▶️ Related Video (78% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: securityaffairs.com
Extra Source Hub (Possible Sources for article):
https://www.reddit.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube