Full Report
Deeba Ahmed reports on some of TeamPCP’s dangerously effective recent activities: What Happened? The trouble began on 19 March 2026, when a hacking group calling themselves TeamPCP managed to break into Trivy, a popular tool used by developers to scan their code for security vulnerabilities. This was a supply chain attack, which occurs when hackers sneak malicious code... Source
Analysis Summary
# Incident Report: TeamPCP Multi-Stage Supply Chain Attack
## Executive Summary
Between March 19 and March 24, 2026, the threat actor group "TeamPCP" (also known as Shellforce/CipherForce) executed a coordinated supply chain campaign targeting popular developer tools including Trivy, Checkmarx KICS, and LiteLLM. By injecting credential-stealing malware into legitimate software repositories and marketplaces, the attackers aimed to harvest cloud provider keys, system passwords, and cryptocurrency credentials from developers and automated environments.
## Incident Details
- **Discovery Date:** Approximately March 23–25, 2026
- **Incident Date:** March 19, 2026 – March 24, 2026
- **Affected Organizations:** Trivy (Aqua Security), Checkmarx, LiteLLM
- **Sector:** Software Development, Cybersecurity, Artificial Intelligence
- **Geography:** Global (Supply chain impact)
## Timeline of Events
### Initial Access
- **Date/Time:** 19 March 2026
- **Vector:** GitHub Account/Repository Compromise
- **Details:** Attackers gained unauthorized access to Trivy’s GitHub automated tasks and repository, injecting a credential stealer into the scanner tool.
### Lateral Movement
- **Progression:** 23 March 2026
- **Details:** The campaign expanded to Checkmarx’s KICS infrastructure and OpenVSX marketplace. Attackers compromised two automated tools and two specific plugins (`ast-results` and `cx-dev-assist`).
### Data Exfiltration/Impact
- **Date/Time:** 24 March 2026 (LiteLLM Compromise)
- **Details:** Using credentials likely stolen in earlier phases, the actors published poisoned versions of LiteLLM (v1.82.7 and v1.82.8) to PyPI. Version 1.82.8 included a persistence mechanism to run malware upon every Python startup.
### Detection & Response
- **Discovery:** Public disclosure and security research identified poisoned versions on PyPI and OpenVSX.
- **Response:** Compromised packages were identified (1.82.7/1.82.8 for LiteLLM); Checkmarx issued security updates; poisoned plugins were flagged on OpenVSX.
## Attack Methodology
- **Initial Access:** Compromise of legitimate developer accounts/CI-CD pipelines.
- **Persistence:** Implementation of a hidden file in LiteLLM v1.82.8 that executes whenever Python initializes.
- **Privilege Escalation:** Not explicitly detailed, but involved gaining "legitimate developer" status to push updates.
- **Defense Evasion:** Poisoned updates were signed or pushed through trusted repositories (GitHub, PyPI, OpenVSX) to appear legitimate.
- **Credential Access:** Malware specifically targeted AWS, Azure, GCP cloud keys, system passwords, and crypto wallets.
- **Discovery:** Scanned infected host environments for configuration files containing secrets.
- **Lateral Movement:** Using stolen credentials from the first phase (Trivy/Checkmarx) to authenticate and pivot to other platforms (PyPI/LiteLLM).
- **Collection:** Automated harvesting of secret keys and environment variables.
- **Exfiltration:** Credential data sent to attacker-controlled infrastructure.
- **Impact:** Compromise of downstream developer environments and cloud infrastructures.
## Impact Assessment
- **Financial:** High potential for loss via stolen cryptocurrency and unauthorized cloud resource usage (AWS/Azure/GCP).
- **Data Breach:** Massive theft of high-value secrets (API keys, cloud credentials) belonging to developers and enterprises.
- **Operational:** Disruption of CI/CD pipelines; requirement for global rotation of secrets for affected users.
- **Reputational:** Damage to trust in "Trivy," "Checkmarx," and "LiteLLM" as secure development components.
## Indicators of Compromise
- **File indicators:**
- LiteLLM versions 1.82.7 and 1.82.8 (PyPI)
- Checkmarx `ast-results` and `cx-dev-assist` plugins (OpenVSX versions)
- **Behavioral indicators:**
- Unexpected outbound traffic from CI/CD runners to unknown IPs.
- Python execution triggering unauthorized hidden scripts on startup.
## Response Actions
- **Containment:** Removal of malicious versions from PyPI and OpenVSX.
- **Eradication:** Revocation of compromised developer credentials used to push the updates.
- **Recovery:** Advisories issued for users to roll back to known-good versions and rotate all secrets managed or touched by the infected tools.
## Lessons Learned
- **Trust is Fragile:** Even highly trusted security tools (Trivy/Checkmarx) are prime targets for supply chain poisoning.
- **Credential Interdependency:** Success in one breach (credential theft) provided the keys for the next (LiteLLM/PyPI), showing the "butterfly effect" of supply chain attacks.
- **Automation Risks:** Automated GitHub actions/tasks provide a massive attack surface if not strictly governed.
## Recommendations
- **MFA Deployment:** Enforce hardware-based Multi-Factor Authentication (MFA) for all contributors to package registries (PyPI, npm) and GitHub repos.
- **Pinning Versions:** Developers should pin specific hashes/versions of tools rather than pulling "latest" in automated pipelines.
- **Secret Scanning:** Implement outbound network filtering to prevent CI/CD environments from communicating with unauthorized external endpoints.
- **Audit Logs:** Regularly review GitHub Action logs and marketplace publishing history for anomalous activity.