CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

TeamPCP escalates CanisterWorm campaign with geopolitical targeting and multi-vector attacks

First reported
Last updated
3 unique sources, 6 articles

Summary

Hide ▲

TeamPCP has escalated its multi-vector CanisterWorm campaign into a broader geopolitically targeted operation, now compromising trusted PyPI packages to deliver credential-stealing malware with automated execution mechanisms. The group has targeted the LiteLLM and Telnyx Python packages (versions 1.82.7, 1.82.8, 4.87.1, and 4.87.2), embedding malware that harvests SSH keys, cloud credentials, Kubernetes secrets, database credentials, cryptocurrency wallets, TLS/SSL private keys, and bash history files before exfiltrating data to attacker-controlled infrastructure and establishing persistent backdoors. The campaign began as a supply-chain attack involving 47 compromised npm packages and the @teale.io/eslint-config variant, leveraging ICP canisters for decentralized C2 and persistence via masqueraded systemd services. It escalated to include GitHub repository hijacking (e.g., Aqua Security), Docker Hub compromise, and deployment of an infostealer, then pivoted to targeting CI/CD pipelines directly via GitHub Actions workflows (e.g., Checkmarx, Trivy) using stolen credentials. TeamPCP now compromises GitHub Actions workflows and Open VSX extensions to deploy the TeamPCP Cloud stealer, while refining destructive payloads targeting Iranian systems in Kubernetes environments with time-zone/locale-based wipers. Recent compromises of LiteLLM and Telnyx demonstrate rapid iteration and maturation of supply chain attack methodology, with evidence suggesting collaboration with the Vectr ransomware group for follow-on ransomware operations.

Timeline

  1. 23.03.2026 22:09 4 articles · 4d ago

    TeamPCP launches Iran-targeted wiper and expanded Kubernetes attacks using CanisterWorm C2

    The Telnyx PyPI compromise (versions 4.87.1 and 4.87.2) on March 27, 2026, further demonstrates TeamPCP’s operational tempo and evolving tactics within the ongoing multi-ecosystem campaign. Independent corroboration by Socket, Endor Labs, Aikido Security, and Wiz confirms that the malicious payload—designed to steal SSH private keys and bash history files and exfiltrate them via HTTP to attacker-controlled servers—was delivered at install time without requiring explicit import or execution. This aligns with prior compromises of developer and security tools (e.g., Trivy, LiteLLM) and supports the assessment that TeamPCP is actively partnering with the Vectr ransomware group to convert supply chain compromises into large-scale ransomware operations.

    Show sources
    Open in new tab
  2. 21.03.2026 09:28 5 articles · 7d ago

    CanisterWorm escalates from manual npm package compromise to fully automated self-propagating supply chain worm via ICP canisters

    Further expansion of the campaign is evidenced by the March 27, 2026 compromise of the Telnyx PyPI package (versions 4.87.1 and 4.87.2), where TeamPCP leveraged legitimate maintainer credentials to publish malicious versions that exfiltrate SSH private keys and bash history files via HTTP to attacker-controlled infrastructure. This reflects a maturation in methodology, moving beyond typosquatting to direct compromise of trusted packages with real user bases, and aligns with the group’s rapid iteration between compromises (e.g., LiteLLM to Telnyx within three days). The attack vector underscores the risks posed when legitimate publishing access is abused, as the malicious packages retain their authentic names and functionality, evading casual detection while enabling credential harvesting and potential lateral movement.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Ongoing Ghost Cluster Targets npm and GitHub in Multi-Stage Credential and Crypto Wallet Theft Campaign

A coordinated campaign tracked as Ghost continues to target developers via malicious npm packages and GitHub repositories to deploy credential stealers and cryptocurrency wallet harvesters. The operation leverages social engineering and multi-stage infection chains, including fake installation wizards that request sudo/administrator privileges and deceptive npm logs simulating dependency downloads and progress indicators. Stolen data—including browser credentials, crypto wallets, SSH keys, and cloud tokens—is exfiltrated to Telegram channels and BSC smart contracts. The campaign employs a dual monetization model combining credential theft via Telegram channels with affiliate link redirections stored in a BSC smart contract. Malicious npm packages first appeared under the user 'mikilanjijo', with operations beginning as early as February 2026 and expanding to at least 11 packages such as react-performance-suite and react-query-core-utils. The final payload is a remote access trojan that downloads from Telegram channels, decrypts using externally retrieved keys, and executes locally using stolen sudo passwords to harvest credentials and deploy GhostLoader.

Open in new tab

Supply chain compromise in Trivy scanner triggers CanisterWorm propagation across CI/CD pipelines

The TeamPCP threat group has expanded its supply chain campaign to compromise the popular LiteLLM Python package on PyPI, publishing malicious versions 1.82.7 and 1.82.8 that deploy the TeamPCP Cloud Stealer infostealer. The attack follows the group’s recent compromise of the Trivy vulnerability scanner and impacts organizations using the library’s LLM gateway functionality. The malicious payload executes upon package import, harvesting extensive credentials (SSH keys, cloud tokens, Kubernetes secrets, cryptocurrency wallets, and .env files) and attempting lateral movement via privileged Kubernetes pod deployment. Persistence is achieved through a disguised systemd service that contacts attacker infrastructure at checkmarx.zone. Exfiltrated data is encrypted and sent to models.litellm.cloud. Both malicious versions have been removed from PyPI, with version 1.82.6 now the latest clean release. TeamPCP’s campaign now spans CI/CD pipelines (Trivy, Checkmarx KICS), container registries (Aqua Security Docker Hub images), and LLM integration tools (LiteLLM), demonstrating industrialized supply chain exploitation with reused tooling and infrastructure. The group claims approximately 500,000 devices were compromised during the LiteLLM attack, though this figure remains unconfirmed. The broader incident highlights persistent risks in supply chain security where compromised security tools enable rapid worm propagation and cascading compromises across cloud-native environments. Key milestones include the initial Trivy compromise on March 19, 2026, the deployment of CanisterWorm and wiper attacks targeting Iran or Farsi-locale systems over March 21–22, 2026, and the expansion to additional targets such as LiteLLM. Security advisories emphasize the critical need for organizations to rotate all exposed credentials and inspect Kubernetes clusters for unauthorized pods, as cascading compromises often stem from unrotated secrets and tokens.

Open in new tab

Tag poisoning in Trivy GitHub Actions repositories delivers cloud-native infostealer payload

Attackers compromised two official Trivy-related GitHub Actions repositories—aquasecurity/trivy-action and aquasecurity/setup-trivy—and backdoored Trivy v0.69.4 releases, distributing a Python-based infostealer that harvests wide-ranging CI/CD and developer secrets. The payload executes in GitHub Actions runners and Trivy binaries, remaining active for up to 12 hours in Actions tags and three hours in the malicious release. The actors leveraged compromised credentials from a prior March incident and added persistence via systemd services, while also linking to a follow-up npm campaign using the CanisterWorm self-propagating worm. The incident traces to a credential compromise initially disclosed in early March 2026, which was not fully contained and enabled subsequent tag and release manipulations. Safe releases are now available and mitigation includes pinning Actions to full SHA hashes, blocking exfiltration endpoints, and rotating all affected secrets.

Open in new tab

Critical Authentication Bypass in Cisco Catalyst SD-WAN Exploited Since 2023

A critical authentication bypass vulnerability (CVE-2026-20127) in Cisco Catalyst SD-WAN has been actively exploited in zero-day attacks since at least 2023. The flaw allows remote attackers to compromise controllers and add malicious rogue peers to targeted networks. The vulnerability stems from a peering authentication mechanism that does not work properly, enabling attackers to log in as high-privileged users and manipulate network configurations. Cisco has released specific software updates to address the issue, and CISA has issued an emergency directive requiring federal agencies to patch affected systems by February 27, 2026. Attackers have been found to leverage the built-in update mechanism to stage a software version downgrade and escalate to the root user by exploiting CVE-2022-20775, and have taken steps to clear evidence of the intrusion by purging logs and command history. Additionally, Cisco has flagged two more Catalyst SD-WAN Manager security flaws (CVE-2026-20128 and CVE-2026-20122) as actively exploited in the wild, urging administrators to upgrade vulnerable devices. CVE-2026-20128 is an information disclosure issue affecting the Data Collection Agent (DCA) feature, allowing an authenticated, local attacker to gain DCA user privileges. CVE-2026-20122 is an arbitrary file overwrite bug affecting the API, allowing a remote, authenticated attacker to overwrite arbitrary files and gain elevated privileges. Cisco Talos has linked the attacks exploiting CVE-2026-20127 to UAT-8616, a highly sophisticated threat actor active since at least 2023. Cisco has also released updates to address two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software: CVE-2026-20079 and CVE-2026-20131.

Open in new tab

TeamPCP Worm Exploits Cloud Infrastructure for Criminal Operations

TeamPCP, a threat cluster active since November 2025, has conducted a worm-driven campaign targeting cloud-native environments to build malicious infrastructure. The campaign, observed around December 25, 2025, leveraged exposed Docker APIs, Kubernetes clusters, Ray dashboards, Redis servers, and the React2Shell vulnerability (CVE-2025-55182) to compromise servers for data exfiltration, ransomware deployment, extortion, and cryptocurrency mining. The group operates as a cloud-native cybercrime platform, using misconfigured cloud services and known vulnerabilities to create a self-propagating criminal ecosystem. TeamPCP's activities include deploying various payloads such as proxy.sh, scanner.py, kube.py, react.py, and pcpcat.py to exploit and expand their reach within cloud environments. The group's operations are opportunistic, targeting AWS, Microsoft Azure, Google, and Oracle cloud environments, and have resulted in data leaks and extortion activities. The group has compromised at least 60,000 servers worldwide and has exfiltrated more than two million records from JobsGO, a recruitment platform in Vietnam.

Open in new tab