CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

TeamPCP escalates CanisterWorm campaign with geopolitical targeting and multi-vector attacks

First reported
Last updated
3 unique sources, 14 articles

Summary

Hide ▲

TeamPCP has escalated its multi-vector CanisterWorm campaign into a geopolitically targeted operation, now confirmed to have leveraged the Trivy supply-chain attack as an access vector for the Checkmarx compromise. The group compromised PyPI packages (LiteLLM versions 1.82.7–1.82.8 and Telnyx versions 4.87.1–4.87.2) and Checkmarx KICS tooling to deliver credential-stealing malware, harvesting SSH keys, cloud credentials, Kubernetes secrets, database credentials, cryptocurrency wallets, TLS/SSL private keys, and bash history files. Checkmarx has publicly confirmed that the LAPSUS$ threat group leaked data stolen from its private GitHub repository, with access facilitated by the Trivy compromise attributed to TeamPCP. The leaked data, published on both dark web and clearnet portals, did not contain customer information, and Checkmarx has blocked access to the affected repository pending forensic investigation. The campaign’s scope expanded from initial npm package compromises to include GitHub repository hijacking (e.g., Aqua Security), Docker Hub compromise, and CI/CD pipeline targeting, while destructive payloads in Iranian Kubernetes environments highlight TeamPCP’s geopolitical alignment. On May 9, 2026, TeamPCP published a malicious version of the Checkmarx Jenkins AST plugin (2.0.13-829.vc72453fa_1c16) to the Jenkins Marketplace, defacing the plugin’s GitHub repository with pro-TeamPCP messaging. The compromise was facilitated using credentials stolen in the March 2026 Trivy supply-chain attack and occurred outside the plugin’s official release pipeline, lacking a git tag or GitHub release. Checkmarx isolated its GitHub repositories from customer environments and stated no customer data was stored in them. Users are advised to use version 2.0.13-829.vc72453fa_1c16 published on December 17, 2025, or older.

Timeline

  1. 23.03.2026 22:09 8 articles · 1mo ago

    TeamPCP launches Iran-targeted wiper and expanded Kubernetes attacks using CanisterWorm C2

    The Telnyx PyPI compromise (versions 4.87.1 and 4.87.2) further demonstrates TeamPCP’s operational tempo and evolving tactics. The LiteLLM compromise (versions 1.82.7–1.82.8) expanded the attack surface by activating infostealer malware during installation/updates, systematically harvesting SSH keys, cloud credentials (AWS, Azure, GCP), Docker configurations, and other sensitive data from developer endpoints. The malware exfiltrated stolen data to attacker-controlled infrastructure and established persistence, aligning with prior compromises of developer and security tools (e.g., Trivy, LiteLLM). This development reinforces the assessment that TeamPCP is leveraging supply-chain compromises to convert credential harvesting into larger-scale operations, including geopolitically motivated destructive payloads (e.g., time-zone/locale-based wipers in Kubernetes environments). The new April 22, 2026 npm attack, while not yet attributed to TeamPCP, highlights the escalation of self-propagating supply-chain threats beyond TeamPCP’s operations, targeting AI agent tooling and database packages with credential theft and multi-ecosystem propagation mechanisms. The Namastex Labs compromise (16 packages) and compromised 'xinference' Python package demonstrate the broadening threat landscape, with exfiltration to telemetry.api-monitor[.]com and ICP canister cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0[.]io. On April 22, 2026, a coordinated attack on Checkmarx ecosystems was disclosed: malicious images were pushed to the official "checkmarx/kics" Docker Hub repository, overwriting existing tags (v2.1.20, alpine) and introducing a malicious v2.1.21 tag. The malware bundled modified KICS binaries with data collection and exfiltration capabilities, sending encrypted scan reports to external endpoints. Additionally, infected Visual Studio Code extensions (versions 1.17.0 and 1.19.0) executed unauthorized remote addons via Bun using hardcoded GitHub URLs. The incident exposed credentials in Terraform, CloudFormation, or Kubernetes configurations to malicious scans, prompting remediation actions. Techniques and exfiltration infrastructure resemble TeamPCP's CanisterWorm operations, though attribution remains unconfirmed.

    Show sources
    Open in new tab
  2. 21.03.2026 09:28 13 articles · 1mo ago

    CanisterWorm escalates from manual npm package compromise to fully automated self-propagating supply chain worm via ICP canisters

    TeamPCP published a rogue version (2026.5.09) of the Checkmarx Jenkins AST plugin to repo.jenkins-ci.org on May 9, 2026, outside the official release pipeline and lacking a git tag or GitHub release. The malicious plugin (version 2.0.13-829.vc72453fa_1c16) was published as part of the attacker’s sustained campaign against Checkmarx systems, following prior compromises of KICS Docker images, VS Code extensions, and GitHub Actions workflows. Checkmarx confirmed the compromise was claimed by TeamPCP, which obtained credentials to the repositories via the March 2026 Trivy supply-chain attack. The company stated that its GitHub repositories are isolated from customer production environments and contain no customer data. Users are advised to use version 2.0.13-829.vc72453fa_1c16 published on December 17, 2025, or older, and to rotate all secrets, investigate for lateral movement or persistence, and consult published IOCs for detection.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Credential theft campaign PCPJack leverages five CVEs for cloud propagation and eviction of TeamPCP artifacts

PCPJack continues to propagate as a worm-like credential theft framework across Docker, Kubernetes, Redis, MongoDB, RayML, and vulnerable web applications, now confirmed to deliberately evict TeamPCP artifacts before executing its payload. The framework remains attributed to a former TeamPCP operator leveraging intimate knowledge of the group’s tooling, with targeting patterns mirroring TeamPCP’s early campaigns from December 2025. Unlike TeamPCP’s earlier operations, PCPJack avoids cryptocurrency mining despite targeting crypto credentials, focusing instead on monetization via credential theft, fraud, spam, extortion, or resale. SentinelLabs analysis indicates PCPJack’s orchestrator script (worm.py) uses Telegram for C2 and propagates via Common Crawl parquet files, while a secondary shell script (check.sh) deploys Sliver-based backdoors across x86_64, x86, and ARM architectures and scans cloud environments for credentials tied to multiple service providers.

Open in new tab

Compromise of Ruby gems and Go modules via poisoned packages leads to credential theft and CI pipeline manipulation

A coordinated software supply chain attack leveraged sleeper packages in RubyGems and Go modules to deploy malicious payloads targeting CI pipelines, enabling credential theft, GitHub Actions tampering, and SSH persistence. The attack originated from the GitHub account "BufferZoneCorp", which published repositories and packages disguised as legitimate libraries such as activesupport-logger and go-retryablehttp. The malicious packages were designed to harvest environment variables, SSH keys, AWS secrets, and developer credentials, exfiltrating data to attacker-controlled endpoints. Go modules also contained functionality to manipulate GitHub Actions workflows, inject fake Go wrappers, and add persistent SSH access via authorized_keys. As of reporting, all identified packages have been yanked or blocked.

Open in new tab

Cross-Platform Supply Chain Attack Expands with Mini Shai-Hulud Malware via PyPI and npm Ecosystems

The Mini Shai-Hulud supply chain attack has escalated into a broader, ongoing campaign with a fresh wave of compromises targeting the TanStack developer ecosystem and other ecosystems, including SAP and AI tooling. Researchers have identified hundreds of malicious npm packages—373 package-version entries across 169 package names and at least double that number across multiple organizations—designed to steal developer and CI/CD credentials and self-propagate through compromised maintainer accounts and GitHub Actions trusted publishing workflows. The malware now leverages heavily obfuscated JavaScript payloads with Bun-based execution to evade detection, while abusing IDE integrations for persistence. The campaign’s tactics have evolved to include automated trojanized package updates pushed via compromised maintainer credentials and OIDC-based npm publishing, significantly increasing the blast radius by turning compromised build systems and developer environments into vectors for further infection. The threat actors, assessed as TeamPCP, continue to refine their methods to maximize reach and stealth, underscoring the urgency for developers to rotate credentials, verify package provenance, and monitor for unauthorized publishes.

Open in new tab

Targeted social engineering of Axios maintainer enables UNC1069 npm supply chain compromise via WAVESHAPER.V2 implant

A maintainer of the widely used Axios npm package was targeted in a highly tailored social engineering campaign attributed to North Korean threat actor UNC1069, resulting in the compromise of npm account credentials and the publication of two trojanized versions of Axios (1.14.1 and 0.30.4). Google Threat Intelligence Group (GTIG) attributed the attack to UNC1069 based on the use of WAVESHAPER.V2 and infrastructure overlaps with past activities. The malicious packages were available for roughly three hours and injected a plain-crypto-js dependency that installed a cross-platform RAT, enabling credential theft and downstream compromise. The campaign also targeted additional maintainers, including Pelle Wessman (Mocha framework) and Node.js core contributors, revealing a coordinated effort against high-impact maintainers. The intrusion began with reconnaissance-driven impersonation of a legitimate company founder, engagement via a cloned Slack workspace and Microsoft Teams call, and execution of a fake system update that deployed the RAT. Post-incident, the maintainer reset devices, rotated all credentials, adopted immutable releases, introduced OIDC-based publishing flows, and updated GitHub Actions workflows to mitigate future risks.

Open in new tab

Supply chain compromise of axios npm package delivers cross-platform RATs via malicious dependency

A North Korea-nexus threat actor (UNC1069) compromised the npm account of axios maintainer Jason Saayman via a two-week social engineering campaign and published malicious axios versions v1.14.1 and v0.30.4 containing the plain-crypto-js dependency to deliver cross-platform RATs with full unilateral control capabilities, bypassing 2FA. The attack’s blast radius has expanded beyond developer ecosystems after OpenAI revealed that a GitHub Actions workflow used for macOS app signing downloaded the malicious axios library, prompting OpenAI to revoke its macOS app certificate as a precaution despite no evidence of compromise. This incident underscores the escalating risks of supply chain compromises, with Google warning that hundreds of thousands of stolen secrets from the axios and Trivy attacks could fuel further software supply chain attacks, SaaS compromises, ransomware, and cryptocurrency theft. The campaign reflects an industrialized social engineering model targeting high-value individuals and open source maintainers, leveraging AI-enhanced trust-building and matured attacker tooling. Additional supply chain attacks in March 2026, such as the compromise of Trivy by TeamPCP (UNC6780), have compounded the threat landscape, exposing organizations like the European Commission and Mercor to downstream risks.

Open in new tab