TL;DR
In a coordinated, multi-stage campaign that has sent shockwaves through the cybersecurity industry, a threat actor group known as TeamPCP (also identified as PCPcat, PersyPCP, and ShellForce) has successfully compromised several of the world’s most trusted security and development tools. By poisoning the supply chain of Aqua Security’s Trivy, Checkmarx, and the AI-utility library LiteLLM, the group has reportedly exfiltrated over 300 GB of compressed credentials, affecting an estimated 500,000+ corporate identities.
The attack didn’t just target code; it targeted the “trust infrastructure” of modern DevOps. If you used Trivy between March 19–23 or installed LiteLLM versions 1.82.7/1.82.8, your environment is likely compromised. This report breaks down the technical specifics of the malware, the timeline of the “cascading breach,” and the urgent remediation steps required for global enterprises.
THE IRONY OF THE BACKDOORED SCANNER
The ultimate nightmare for a CISO is not a vulnerability in their code, it is a vulnerability in the tool meant to find those vulnerabilities. On March 19, 2026, that nightmare became a reality.
TeamPCP, a cloud-native cybercrime operation known for its aggressive automation, executed a masterstroke of supply chain poisoning. They didn’t breach a firewall; they breached the very tools that developers trust to secure their CI/CD (Continuous Integration/Continuous Deployment) pipelines.
By injecting an infostealer into Trivy, a scanner used by millions to find vulnerabilities, the attackers effectively turned the “guard dog” into a “trojan horse.” Every time a company ran a security scan to prove their safety, they were actually shipping their most sensitive secrets such as SSH keys, AWS tokens, and Kubernetes secrets, directly to TeamPCP’s command-and-control (C2) servers.
THE ANATOMY OF THE BREACH: A STEP-BY-STEP BREAKDOWN
The Entry Point: The Trivy Poisoning (March 19)
The campaign began with a sophisticated compromise of the aquasecurity/trivy-action and aquasecurity/setup-trivy GitHub Actions.
The Vector: TeamPCP gained write access to the repository, likely through a prior, un-remediated credential theft or a “pull_request_target” exploit and performed a “force-push” on 75 of 76 version tags. The Deception: Because developers often pin their actions to version tags (e.g., @v2 or @v0.34.2), their pipelines automatically pulled the new, malicious code. To the observer, the scan output looked normal. Under the hood, a script named setup.sh was executing.
The Payload: The “TeamPCP Cloud Stealer”
The malware deployed was a multi-stage Python-based infostealer designed specifically for CI/CD environments. Its capabilities included:
- Memory Scraping: Reading
/proc/*/memfrom the GitHub Runner to extract secrets currently held in memory. - Metadata Harvesting: Querying the AWS Instance Metadata Service (IMDS) at
169.254.169.254for IAM role credentials. - Filesystem Sweeping: Searching over 50 specific paths for
.envfiles,.aws/credentials,.kube/config, and even cryptocurrency wallet keys (Solana, Ethereum). - Encryption: The data was bundled into a file named
tpcp.tar.gz, encrypted using AES-256 and an RSA-4096 public key, ensuring only the attackers could read it.
The Pivot to LiteLLM (March 24)
Using credentials stolen during the Trivy breach – specifically the PyPI tokens for a LiteLLM maintainer, TeamPCP escalated the attack. They published two malicious versions of LiteLLM (1.82.7 and 1.82.8) to the Python Package Index.
LiteLLM is the backbone of many modern AI applications, routing requests to various LLM providers. Compromising it meant gaining access to the API keys of OpenAI, Anthropic, and Google Vertex AI used by thousands of enterprises.
THE MALWARE DEEP-DIVE: HOW IT PERSISTS
The LiteLLM compromise introduced a new level of aggression. While version 1.82.7 required the library to be imported, version 1.82.8 utilized a malicious .pth file.
The .pth Vector: “Execution Without Import”
By placing a file named litellm_init.pth in the site-packages directory, the attackers exploited a feature of the Python interpreter. Python executes code inside .pth files automatically upon startup. This means any Python script run in an infected environment, even a simple python --version would trigger the background exfiltration and backdoor installation.
Persistence Mechanisms:
- Sysmon Backdoor: The malware creates a directory at
~/.config/sysmon/and dropssysmon.py. - Systemd Service: It registers a user-level service named “System Telemetry Service” (
sysmon.service). - Kubernetes Worm: If the malware detects a Kubernetes environment, it attempts to deploy privileged pods (
node-setup-*) across all nodes, mounting the host filesystem to establish a cluster-wide backdoor.
TIMELINE OF Attacks: MARCH 2026
- March 19 (17:43 UTC): Trivy GitHub Action tags are hijacked. Thousands of pipelines begin exfiltrating data.
- March 20 (20:45 UTC): CanisterWorm is detected on NPM. This self-propagating worm uses the stolen credentials from the Trivy breach to infect 50+ other packages.
- March 23: TeamPCP hits Checkmarx. Typosquatted domains like
checkmarx.zoneare used for exfiltration. - March 24 (10:39 UTC): LiteLLM 1.82.7 is published to PyPI.
- March 24 (10:52 UTC): LiteLLM 1.82.8 is published, adding the persistent
.pthbackdoor. - March 24 (14:35 UTC): PyPI quarantines the malicious LiteLLM versions.
TEAMPCP: THE ACTORS AND THE MOTIVE
Who is TeamPCP? Researchers from Socket and Endor Labs suggest the group is a “cloud-native cybercrime platform.” Their messaging on Telegram, often mocking security vendors directly, shows a blend of ideological disruption and financial greed.
“These companies were built to protect your supply chains yet they can’t even protect their own,” the group taunted in a recent post.
The International Cyber Digest reports that the group is currently extorting several multi-billion-dollar companies using the 300 GB of stolen data. There is also evidence of collaboration with other groups like Xploiters and Vect, suggesting a forming “cartel” of supply chain attackers.
HOW TO CHECK IF YOU ARE INFECTED
If you run Linux or macOS and used these tools during the window, run these commands immediately:
1. Check LiteLLM Version
pip show litellm | grep VersionIf it shows 1.82.7 or 1.82.8, you are compromised.
2. Search for Persistence Artifacts
ls -la ~/.config/sysmon/sysmon.pysystemctl --user status sysmon.servicefind . -name "litellm_init.pth"3. Check Kubernetes
kubectl get pods -A | grep "node-setup-"THE REMEDIATION PROTOCOL
If any of the above indicators are positive:
- Assume Total Compromise: The malware exfiltrates credentials instantly. Even if you delete the package now, your keys are already gone.
- Rotate EVERYTHING:
- AWS/GCP/Azure Service Principals and IAM keys.
- GitHub Personal Access Tokens (PATs).
- PyPI and NPM publishing tokens.
- SSH keys and Database passwords.
- AI API Keys (OpenAI, etc.).
- Purge Environments: Rebuild CI/CD runners and Docker images from scratch.
- Pin to SHAs: Stop using version tags in GitHub Actions. Use the full commit hash (SHA) instead.
THE END OF THE “TAG” ERA
The TeamPCP campaign marks a turning point. The industry can no longer rely on simple versioning for trust. As security tools become more integrated and autonomous, they become higher-value targets for groups like TeamPCP.
The irony that a vulnerability scanner became the primary attack vector should be a wake-up call for every engineering lead. The “Software Supply Chain” is no longer a theoretical risk; it is an active battlefield.
FREQUENTLY ASKED QUESTIONS (FAQ)
Q: Is LiteLLM safe to use now? A: Yes, version 1.82.6 is clean, and the maintainers have since released verified safe updates. However, you must manually check if you installed the malicious versions during the 4-hour window on March 24.
Q: Why didn’t my security scanner catch this? A: In many cases, the “security scanner” was the malware. Furthermore, the malware used obfuscation and waited for interpreter startup to execute, bypassing many static analysis tools.
Q: Did this affect Windows users? A: The primary payloads (sysmon.py and systemd services) were designed for Linux environments, which covers the vast majority of CI/CD runners and AI backend servers. Windows users are less likely to have the persistence mechanisms but should still rotate credentials if they ran the malicious Python code.
Q: How do I prevent this in the future? A: Move to Trusted Publishing (OIDC) to eliminate static PyPI/NPM tokens, and always pin GitHub Actions to a commit SHA rather than a version tag.
Disclaimer: This report is based on ongoing investigations. Indicators of compromise (IOCs) are subject to update as more analysis is performed by the security community.
