TeamPCP Injects Credential Stealer Into Trivy Releases and Spreads to npm via CanisterWorm
| Group | TeamPCP (financially motivated threat actor, reportedly collaborating with LAPSUS$ for extortion; nationality unconfirmed) |
| Type | Multi-Ecosystem Supply Chain Attack, Infostealer, Self-Propagating Worm, Kubernetes Wiper |
| Delivery | Compromised GitHub Actions (trivy-action, setup-trivy, kics-github-action, ast-github-action) plus poisoned PyPI packages (litellm) and self-propagating npm infection via CanisterWorm |
| Malware | TeamPCP Cloud Stealer — three-stage CI/CD credential harvester; CanisterWorm — first publicly documented npm worm using ICP blockchain C2; kamikaze.sh — Kubernetes cluster wiper |
| Score | 🔴 9.5 Critical. Actively exploited supply chain compromise across six ecosystems with confirmed mass credential theft, a novel blockchain-based C2 that cannot be taken down through conventional means, a destructive Kubernetes wiper, and active LAPSUS$ extortion of victims. |
| Observed | 25 March 2026 |
Overview
A sophisticated and ongoing supply chain attack attributed to a threat actor tracked as TeamPCP has compromised some of the most widely trusted tools in the software development pipeline. Starting with a privileged GitHub Actions token stolen from Aqua Security on February 28, 2026, the attacker has systematically infected official releases of Trivy, Checkmarx KICS GitHub Actions, the LiteLLM Python library, and over 66 npm packages. As of 24 March 2026, Mandiant Consulting CTO Charles Carmakal stated they are aware of over 1,000 SaaS environments actively dealing with this threat actor, a figure he expected to grow considerably.
The attack does not exploit a vulnerability in the traditional sense. On February 28, 2026, an AI-powered autonomous attack tool named hackerbot-claw exploited a misconfigured pull_request_target GitHub Actions workflow in the Trivy repository to extract a personal access token with write access to all 33+ repositories in the Aqua Security GitHub organisation. Aqua Security disclosed this first incident on March 1 and attempted credential rotation, but the rotation was incomplete. TeamPCP retained access through credentials that survived the process, enabling a second, far larger attack on March 19.
What makes this campaign particularly severe is its second stage. Stolen npm publish tokens were weaponised to propagate CanisterWorm, a self-replicating worm that has now spread across 141 malicious package artefacts spanning more than 66 unique npm packages. CanisterWorm is the first publicly documented npm malware to use an Internet Computer Protocol (ICP) blockchain canister as its command-and-control dead drop. Because ICP is a decentralised smart contract network with no single host or provider, the C2 infrastructure cannot be neutralised through a conventional domain takedown or hosting provider abuse report.
A third payload, kamikaze.sh, has been observed deploying a privileged Kubernetes DaemonSet that mounts the host root filesystem and deletes all top-level directories before force-rebooting every node in the cluster. Based on analysis by multiple researchers, this destructive capability appears selectively targeted at Kubernetes clusters identified as belonging to Iranian organisations. Separate to the credential theft, The Register and SecurityAffairs report that TeamPCP is actively collaborating with the LAPSUS$ extortion group to leverage stolen data against victim organisations.
Any team using an affected package version, GitHub Action, or npm package between 19 and 24 March 2026 should treat their CI/CD environment as fully compromised and begin immediate credential rotation across all cloud providers, container registries, and developer tooling.
Key Details
Delivery Method – Compromised GitHub Actions distributed via hijacked version tags on four repositories (aquasecurity/trivy-action, aquasecurity/setup-trivy, Checkmarx/kics-github-action, Checkmarx/ast-github-action); poisoned Python packages published to PyPI (litellm 1.82.7 and 1.82.8); and CanisterWorm self-propagating via stolen npm publish tokens across 66+ packages.
Target – Software development teams and DevOps organisations globally using Trivy, KICS, LiteLLM, or any of the 66+ compromised npm packages within automated CI/CD pipelines. No single industry or geography is targeted; exposure is determined entirely by toolchain.
Functions
- Scrapes process memory from the GitHub Actions Runner.Worker process via
/proc/<pid>/memto extract in-memory credentials before they are written to disk - Sweeps the CI/CD runner filesystem across 50+ sensitive file paths for SSH keys, AWS/GCP/Azure credentials, Kubernetes service account tokens, Docker configuration files, Git credentials, npm auth tokens, database passwords, cryptocurrency wallets, and Slack and Discord webhook URLs
- Archives all collected secrets to
tpcp.tar.gzbefore exfiltration to attacker C2 - Exfiltrates harvested data to a typosquatted Aqua Security domain (
scan.aquasecurtiy[.]org) resolving to a VPS in Amsterdam - As a fallback, publishes collected secrets as a release artefact to a newly created repository named
tpcp-docsunder the victim's own GitHub account - Drops a persistent Python backdoor and registers it as a systemd user service (
pgmon.service), polling an ICP blockchain canister approximately every 50 minutes for further payload instructions - Self-propagates through the npm ecosystem using stolen publish tokens to inject malicious postinstall hooks into legitimate packages (CanisterWorm)
- Deploys kamikaze.sh via the ICP C2 channel to stage a Kubernetes DaemonSet wiper that destroys all data across targeted cluster nodes
Obfuscation – Persistence artefacts masquerade as PostgreSQL database infrastructure using process names (pglog, pg_state, pgmon) and file paths under /var/lib/pgmon/ that blend into developer and server environments. The ICP blockchain C2 avoids traditional network-based detection and cannot be disrupted via conventional provider abuse reporting.
Attack Vectors
Stage 1 — Initial Access: On February 28, 2026, an AI-powered autonomous attack tool named hackerbot-claw (operating from a GitHub account created February 20) scanned public repositories for exploitable pull_request_target workflow misconfigurations. Trivy's repository was vulnerable: the bot forked it, opened a pull request containing a curl | bash command, and extracted a personal access token bound to the entire Aqua Security GitHub organisation, granting write access to all 33+ repositories. Aqua Security disclosed this first incident on March 1 and rotated credentials, but the rotation was not comprehensive. The attacker retained access through credentials that survived the process.
Stage 2 — Supply Chain Injection: On 19 March 2026, beginning at approximately 17:43 UTC, TeamPCP used the retained token to force-push 76 of 77 version tags in aquasecurity/trivy-action (every tag from v0.0.1 through v0.34.2, with v0.35.0 the only clean tag protected by GitHub's immutable releases feature) and all 7 tags in aquasecurity/setup-trivy. Malicious entrypoint.sh and action.yaml files prepend a three-stage credential harvesting payload before any legitimate Trivy scanning logic, so affected workflows appeared to complete normally while silently exfiltrating secrets. On March 23, the same technique was applied to all 35 tags of Checkmarx/kics-github-action and Checkmarx/ast-github-action between 12:58 and 16:50 UTC, using credentials stolen from the cx-plugins-releases Checkmarx CI service account.
Stage 3 — Persistence and C2 Establishment: After credential exfiltration, the payload drops a Python backdoor and installs it as a persistent systemd user service (pgmon.service). After an initial 5-minute sleep, this backdoor polls https://tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0[.]io/ approximately every 50 minutes for a URL pointing to a further payload. The ICP canister is currently serving kamikaze.sh, a bash stager that checks for kubectl, pulls a Python controller script (kube.py), and on clusters identified as Iranian, deploys the "host-provisioner-iran" DaemonSet. This DaemonSet runs a container named "kamikaze" that mounts the host root filesystem, deletes all top-level directories, and force-reboots every node including the control plane.
Stage 4 — Ecosystem Propagation: With npm publish tokens among the harvested credentials, TeamPCP deployed CanisterWorm on 20 March 2026 at approximately 20:45 UTC. The worm pushes malicious patch updates to packages from compromised publisher accounts, injecting a postinstall hook that extracts additional npm auth tokens from .npmrc, exfiltrates them to the same ICP C2, and then attempts to publish the identical malicious hook to any other packages the stolen token can access. On 24 March, this technique expanded to PyPI where litellm versions 1.82.7 and 1.82.8 were published carrying an identical credential stealer injected into a single file (litellm/proxy/proxy_server.py) via 12 lines of obfuscated base64-encoded code that executes automatically on module import. LiteLLM processes approximately 95 million monthly downloads.
Known Indicators of Compromise
Indicators may vary across campaigns and malware samples. Verify all IOCs against current threat feeds before actioning.
Domains and C2 Infrastructure
| Indicator | Type | Notes |
|---|---|---|
scan.aquasecurtiy[.]org | Typosquatted primary exfiltration domain | Confirmed across multiple sources |
tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0[.]io | ICP blockchain C2 dead drop | Confirmed; gateway shared across all ICP canisters |
plug-tab-protective-relay.trycloudflare[.]com | Cloudflare Tunnel secondary C2 | Confirmed |
checkmarx[.]zone/raw | Polling endpoint for subsequent payloads | Confirmed |
IP Addresses
| Indicator | Type | Notes |
|---|---|---|
45.148.10.212 | Primary exfiltration server — TECHOFF SRV LIMITED, Amsterdam, NL | Confirmed across multiple sources |
Compromised Package Versions
| Indicator | Type | Notes |
|---|---|---|
aquasec/trivy:0.69.4 through aquasec/trivy:0.69.6 | Malicious Docker Hub image tags | Confirmed |
litellm==1.82.7 and litellm==1.82.8 (PyPI) | Backdoored Python package versions | Confirmed; treat any environment with these installed as fully compromised |
cx-dev-assist 1.7.0 (OpenVSX only) | Compromised VS Code extension | Confirmed; VS Code Marketplace versions appear unaffected |
ast-results 2.53.0 (OpenVSX only) | Compromised VS Code extension | Confirmed; VS Code Marketplace versions appear unaffected |
| 66+ npm packages with unauthorised patch versions | CanisterWorm-propagated packages | Verify against published IOC lists before bulk blocking |
File Paths and Persistence Artefacts
| Indicator | Type | Notes |
|---|---|---|
~/.config/sysmon.py or ~/.config/sysmon/sysmon.py | Initial Python dropper | Path variant differs between sources — check both |
~/.local/share/pgmon/service.py | Persistent polling backdoor | Confirmed |
~/.config/systemd/user/pgmon.service | Persistent systemd user service | Confirmed service name |
/tmp/pglog | Temporary payload execution file | Confirmed |
/tmp/.pg_state | State tracking file | Confirmed |
/var/lib/pgmon/ | Malware staging directory | Confirmed |
tpcp.tar.gz | Secrets exfiltration archive | Confirmed |
tpcp-docs (GitHub repository) | Fallback exfiltration repo created in victim account | Confirmed; presence indicates successful exfiltration |
Process Names Masquerading as PostgreSQL
| Indicator | Type | Notes |
|---|---|---|
pglog | Malware process | Mimics PostgreSQL logging artefact |
pg_state | Malware process | Mimics PostgreSQL state artefact |
pgmon | Malware process | Mimics PostgreSQL monitor process |
MITRE ATT&CK Techniques
| Technique ID | Technique Name | Application in This Campaign |
|---|---|---|
| T1195.002 | Supply Chain Compromise: Software Supply Chain | Force-pushed malicious commits to trusted version tags across four GitHub Actions repositories; poisoned PyPI and npm packages via stolen publish credentials |
| T1552.004 | Unsecured Credentials: Private Keys | Credential harvester sweeps 50+ file paths on CI/CD runners for SSH keys, TLS certificates, and cloud provider key files |
| T1543.002 | Create or Modify System Process: Systemd Service | Installs pgmon.service as a persistent systemd user service to survive runner reboots |
| T1005 | Data from Local System | Collects and archives all harvested secrets into tpcp.tar.gz prior to exfiltration |
| T1059.004 | Command and Scripting Interpreter: Unix Shell | Postinstall hooks in compromised npm packages execute shell commands to extract tokens and propagate CanisterWorm; kamikaze.sh bash stager for cluster wiper deployment |
| T1071.001 | Application Layer Protocol: Web Protocols | ICP blockchain canister used as untakeable C2 dead drop, polling approximately every 50 minutes for payload URLs |
| T1485 | Data Destruction | kamikaze.sh deploys a Kubernetes DaemonSet that mounts and wipes host root filesystems across all cluster nodes before force-rebooting |
| T1078 | Valid Accounts | Stolen GitHub personal access tokens and CI service account credentials used to publish malicious releases to official package registries |
Mitigation and Prevention
Audit GitHub Actions Pin References Immediately
Any CI/CD workflow referencing aquasecurity/trivy-action, aquasecurity/setup-trivy, Checkmarx/kics-github-action, or Checkmarx/ast-github-action by a mutable version tag should be audited now. Replace all tag references with pinned commit SHA hashes and review your GitHub Actions audit log for any workflow runs using these actions between 19 and 24 March 2026 (AEST). v0.35.0 of trivy-action is the sole clean tag, protected by GitHub's immutable releases feature.
Rotate All Secrets Present in Affected Pipelines
Any CI/CD runner that executed a compromised action version during the exposure window should be treated as fully compromised. Immediately rotate AWS IAM access keys, GCP service account tokens, Azure managed identity credentials, SSH private keys, Kubernetes service account tokens, Docker registry credentials, npm auth tokens, database passwords, and any webhook URLs stored as environment variables or repository secrets. Do not wait for forensic confirmation before revoking; the risk of delay outweighs the cost of rotation.
Scan for TeamPCP Persistence Artefacts
Search all developer workstations, self-hosted runners, and Linux server environments for the following indicators: ~/.config/sysmon.py, ~/.config/sysmon/sysmon.py (both path variants have been observed), ~/.local/share/pgmon/service.py, the systemd user service pgmon.service, and files named pglog or pg_state in /tmp/. Any match confirms the system has been backdoored and the attacker may retain ongoing access. Isolate the affected system before proceeding with remediation.
Remove and Rebuild Environments Running Affected Python Packages
Any environment with litellm 1.82.7 or 1.82.8 installed must be treated as fully compromised and rebuilt from a clean baseline. Do not simply uninstall and upgrade — the credential stealer executes on import and any secrets present during that window are already stolen. Provision a fresh environment with newly generated credentials and downgrade to litellm 1.82.6 or the latest verified clean release.
Audit npm Dependencies for CanisterWorm
Run a dependency audit against published CanisterWorm IOC lists and check for any package that received an unauthorised patch version bump between 20 and 24 March 2026. Use a software composition analysis tool to flag unexpected version changes in your lock files. Any npm package updated outside your normal dependency management process during this window should be treated as suspect until independently verified clean.
Check OpenVSX Extensions Only
Developers using the OpenVSX extension registry should check for cx-dev-assist 1.7.0 and ast-results 2.53.0 and remove both immediately. These OpenVSX versions were published 12 seconds apart at 12:53 UTC on March 23 via the compromised ast-phoenix publisher account and carry the full TeamPCP credential stealer. Versions distributed through the VS Code Marketplace appear unaffected. Do not reinstall from OpenVSX until Checkmarx confirms a verified clean release.
Block TeamPCP Infrastructure at the Network Perimeter
Add the following to your DNS blocklist and egress controls: scan.aquasecurtiy[.]org, tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0[.]io, plug-tab-protective-relay.trycloudflare[.]com, and checkmarx[.]zone. Block outbound connections to 45.148.10.212. Note that the ICP canister C2 transits through the shared icp0.io gateway, which may require a path-based rule rather than a blanket domain block if your organisation uses other ICP services.
Audit GitHub for Unauthorised tpcp-docs Repositories
Search your organisation's GitHub account for any repository named tpcp-docs that was created without authorisation. Its presence confirms the fallback exfiltration mechanism was triggered and that your secrets were published to your own account by the attacker. Delete the repository immediately, rotate all credentials, and treat the event as a confirmed breach.
Risk Assessment
The TeamPCP campaign represents one of the most consequential supply chain attacks targeting the developer toolchain since the 2020 SolarWinds compromise. Where most credential theft campaigns require a victim to click a link or open a file, this attack exploited the implicit trust that development teams place in open source vulnerability scanning tools. A CI/CD pipeline running Trivy to detect vulnerabilities in application dependencies does not expect the scanner itself to be the vector. That trust assumption is precisely what TeamPCP weaponised, and it is what makes detection so difficult after the fact.
The scale is substantial across multiple dimensions. Trivy is referenced in over 10,000 publicly visible CI/CD workflows on GitHub alone. LiteLLM processes approximately 95 million monthly downloads and is foundational to AI engineering teams across virtually every sector. The credentials being stolen — cloud provider keys, Kubernetes service account tokens, and SSH private keys — represent full administrative control over production infrastructure, source code, and customer data in cloud-native environments. The reported LAPSUS$ collaboration adds a direct extortion dimension: stolen data is not simply being sold or used internally by TeamPCP, it is actively being leveraged for ransom demands against victim organisations.
The introduction of an ICP blockchain canister as C2 infrastructure marks a meaningful escalation in attacker technique. Previous npm supply chain attacks relied on attacker-controlled domains that registrars or hosting providers could neutralise within hours of notification. CanisterWorm's C2 is a smart contract on a decentralised network with no single point of control, making the communication channel effectively permanent until TeamPCP chooses to deactivate it. The Cloud Security Alliance has documented this as a novel C2 evasion technique, and security teams should expect replication by other threat actors once its effectiveness becomes more widely understood.
Conclusion
The single most important action for any team using Trivy, KICS, LiteLLM, or CI/CD pipelines containing npm packages from affected publishers is to begin immediate secret rotation across every cloud provider and developer platform. Do not wait for a forensic investigation to conclude before revoking credentials. The window of confirmed exposure runs from 19 March through at least 24 March 2026, and any secret present in a CI/CD environment during that period should be assumed stolen.
This campaign demonstrates how the software supply chain has become the primary attack surface for sophisticated threat actors targeting enterprise environments at scale. Rather than attacking hardened network perimeters, TeamPCP embedded its payload inside the security tooling that organisations depend on to detect threats — and used an incomplete credential rotation as the door back in. The practical lesson for defenders is that supply chain integrity requires pinned dependencies, verified checksums, cryptographic attestation, and atomic credential rotation, not routine patching alone.
Sources
- Wiz Research — KICS GitHub Action Compromised: TeamPCP Supply Chain Attack (March 2026)
- Aqua Security — Trivy Supply Chain Attack: What You Need to Know (March 2026)
- CrowdStrike — From Scanner to Stealer: Inside the trivy-action Supply Chain Compromise (March 2026)
- StepSecurity — CanisterWorm: How a Self-Propagating npm Worm Is Spreading Backdoors Across the Ecosystem (March 2026)
- The Hacker News — Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked (March 2026)