TeamPCP has escalated a widespread open-source supply chain campaign from the Trivy compromise to NPM, Docker Hub, OpenVSX/VS Code, and PyPI, and appears to be collaborating with Lapsus$ for monetization. The attackers used compromised tokens and mutable GitHub Actions tags to distribute information-stealing malware (including CanisterWorm) and backdoored projects such as LiteLLM, exposing secrets across CI/CD and cloud environments. #TeamPCP #LiteLLM
Keypoints
- TeamPCP targeted multiple open-source ecosystems, expanding from Trivy to NPM, Docker Hub, OpenVSX/VS Code, and PyPI.
- Compromised service account tokens and mutable GitHub Action tags were used to inject information-stealing malware into builds.
- The Trivy supply chain incident (CVE-2026-33634) impacted thousands of CI/CD workflows and enabled credential exfiltration.
- CanisterWorm used an ICP canister dead drop and a worming component to propagate across NPM packages and persist on hosts.
- LiteLLM was backdoored, leading to large-scale secret exposure and prompting immediate credential rotation and remediation actions.