What Happened

Between March 19 and March 27, 2026, a threat group operating as TeamPCP (also tracked as PCPcat and ShellForce) executed a coordinated, cascading supply chain attack across four widely trusted open-source projects. The sequence: Aqua Security’s Trivy vulnerability scanner (March 19), Checkmarx’s KICS infrastructure-as-code scanner GitHub Action (March 23), the LiteLLM AI proxy library on PyPI (March 24), and the Telnyx Python SDK on PyPI (March 27).

The attack vector in every case was the same: steal a CI/CD credential from a misconfigured GitHub Actions workflow, then use it to inject malicious code into official release artifacts before the maintainers could respond.

As of April 1, confirmed downstream victims include Cisco (300+ internal repositories exfiltrated) and AstraZeneca (data dump released publicly). Databricks is actively investigating an alleged compromise. The group has now shifted operational focus from supply chain expansion to credential monetization, having partnered with the Vect ransomware-as-a-service group to convert the harvested credential haul into ransomware deployments.

CVE-2026-33634 covers the campaign; CVSS4B score: 9.4.

The Attack Chain

Trivy (March 19). Three weeks before the main strike, a bot called hackerbot-claw exploited a misconfigured pull_request_target workflow in Trivy’s GitHub Action repositories to steal a Personal Access Token. Aqua Security detected the intrusion and rotated credentials — but the rotation was incomplete. On March 19, TeamPCP used a surviving PAT to force-push malicious commits to 76 of 77 version tags in Trivy’s GitHub Action repositories. The poisoned binaries were also pushed to Docker Hub, GHCR, and ECR. Any CI/CD pipeline that ran Trivy that day executed the “TeamPCP Cloud Stealer” alongside the normal vulnerability scan.

Affected Trivy artifacts: binary versions v0.69.4, v0.69.5, v0.69.6; aquasecurity/trivy-action and aquasecurity/setup-trivy GitHub Actions.

KICS (March 23). TeamPCP force-pushed malicious commits to all 35 version tags in the checkmarx/kics-github-action repository and poisoned version 2.3.28 of checkmarx/ast-github-action. The attack replayed the same pattern: poisoned version tags that pipeline authors pinned by label rather than immutable SHA.

Safe version: kics-github-action v2.1.20 or newer.

LiteLLM (March 24). Two PyPI releases — 1.82.7 and 1.82.8 — were published with malicious code not present in the upstream GitHub repository. Version 1.82.6 is the last known clean release.

Telnyx (March 27). PyPI versions 4.87.1 and 4.87.2 of the Telnyx Python SDK were backdoored. If either version ran in your environment, Telnyx recommends treating the host as fully compromised and rotating all credentials.

What the Malware Does

The “TeamPCP Cloud Stealer” payload targets the credentials that live in CI/CD runner environments. It dumps process memory, harvests SSH keys, cloud provider credentials (AWS, GCP, Azure), Kubernetes configuration files and service account tokens, API keys, Git credentials, shell history, and crypto wallet files. The haul is encrypted with AES-256 and RSA-4096 before exfiltration to attacker-controlled C2 infrastructure.

Total estimated credential harvest: approximately 300 GB.

Confirmed and Alleged Victims

Cisco. Attackers used stolen credentials from the Trivy compromise to breach Cisco’s internal development environment. More than 300 GitHub repositories were cloned, including source code for AI-powered Cisco products and customer code belonging to banks, business process outsourcing firms, and US government agencies.

AstraZeneca. A data dump attributed to TeamPCP was released publicly. Given AstraZeneca’s clinical research operations, the archive may contain protected health information (PHI) subject to HIPAA and GDPR. Organizations with data-sharing agreements with AstraZeneca should assess their exposure.

Databricks. As of April 1, Databricks is investigating an alleged compromise following notification from threat intelligence researchers. Databricks’ communications team stated they “thoroughly investigated this information in our internal systems and found nothing,” but the investigation is ongoing and no formal incident report has been released.

The Vect Ransomware Pivot

On approximately March 30, TeamPCP announced a partnership on BreachForums with Vect, an emerging Russian-speaking ransomware-as-a-service group operating a structured affiliate model. The announcement stated: “Together, we are ready to deploy ransomware across all affected companies that got hit by these attacks.” Vect affiliates earn 80–88% of ransom profits.

This represents a significant escalation. The supply chain phase was credential collection at scale; the ransomware phase is monetization. Analysts assess that any organization whose CI/CD pipeline executed compromised Trivy, KICS, LiteLLM, or Telnyx artifacts should now treat this as an active ransomware precursor incident, not a past credential theft.

At least one confirmed Vect ransomware deployment using TeamPCP-sourced credentials has been documented. Dual ransomware operations are reportedly underway.

Who Is Affected

If your CI/CD pipelines ran any of the following between the dates listed, assume full credential compromise:

  • aquasecurity/trivy-action or aquasecurity/setup-trivy on March 19, 2026
  • Trivy binary v0.69.4, v0.69.5, or v0.69.6 from any official distribution channel
  • checkmarx/kics-github-action (any version tag) or checkmarx/[email protected] on March 23, 2026
  • litellm==1.82.7 or litellm==1.82.8 from PyPI installed between March 24–26, 2026
  • telnyx==4.87.1 or telnyx==4.87.2 from PyPI installed between March 27–29, 2026

The blast radius is anyone using these tools in automated pipelines — which in practice means a large fraction of organizations running security scanning in CI/CD.

What to Do Right Now

Audit and rotate all credentials. Every secret that was accessible to a runner executing the above artifacts should be considered compromised. This includes: GitHub repository secrets and tokens, AWS/GCP/Azure access keys, Kubernetes service account tokens, SSH keys on the runner host, database passwords in environment variables, API keys, and Docker registry credentials.

Check your pipeline logs. Review CI/CD job logs from the compromise windows for anomalous outbound network connections, unexpected process spawns, or memory-intensive activity during what should be a static scan phase.

Update affected tools. For Trivy, upgrade to v0.69.7 or later and pull fresh images. For KICS, use kics-github-action v2.1.20 or newer. For LiteLLM, use 1.82.6 or upgrade beyond 1.82.8 once the maintainer confirms a clean release. For Telnyx, use a known-clean version and rotate all credentials.

Pin GitHub Actions by SHA. Version tags are mutable and can be moved to point at malicious commits. Pin all third-party GitHub Actions to immutable full commit SHA hashes (e.g., uses: aquasecurity/trivy-action@sha256:abc123...). Services like StepSecurity’s Harden-Runner and the actionlint tool can enforce this automatically.

Harden pull_request_target workflows. The initial PAT theft exploited a misconfigured pull_request_target workflow that allowed code from forked pull requests to access repository secrets. Audit your workflows for this pattern and follow GitHub’s documented guidance on restricting secret access in fork-triggered workflows.

Threat hunt for TeamPCP IOCs. Search logs and EDR telemetry for outbound connections to TeamPCP’s known C2 infrastructure and for the process patterns associated with the Cloud Stealer payload. Microsoft’s Security Blog published IOC lists and KQL hunting queries on March 24; the Trivy advisory at aquasec.com contains additional indicators.

Assess ransomware readiness. Given the Vect partnership, organizations whose credentials were exposed should review backup integrity, network segmentation, and incident response playbooks now — before a ransomware deployment, not after.

Sources