TeamPCP Compromised Dev Tools to Steal Cloud Credentials


FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials

Pierluigi Paganini
July 04, 2026

FBI says TeamPCP poisoned trusted developer tools to steal cloud credentials, spread malware through software updates, and extort victims.

On July 2, 2026, the FBI published a FLASH alert identifying the criminal group called TeamPCP and detailing how it compromised widely used developer and security tools to steal credentials from victim environments at scale. The targets weren’t end users. They were the tools developers trust every day inside their build pipelines.

TeamPCP is behind multiple supply chain attacks, in the past, they targeted PyPI packages and NPM repositories, and most recently the “Mini Shai-Hulud” campaign also caught two OpenAI employees. The pattern is consistent: go after the tools developers trust, poison the supply chain, and let the downstream damage multiply.

TeamPCP’s method was straightforward and effective: inject malicious code into legitimate software packages, push the trojanized versions through normal distribution channels, and wait for CI/CD pipelines to pull them in automatically. The modified tools installed credential-stealing malware and persistent backdoors without any visible sign that anything had changed.

“TeamPCP actors have conducted large-scale software supply chain compromises by targeting widely used developers and security tools, gaining access to victim environments and extracting sensitive data, including but not limited to cloud access tokens, SSH keys, and Kubernetes secrets.” FBI’s FLASH states.

The confirmed list of modified tools includes Trivy, a widely used container vulnerability scanner; KICS, a static analysis tool for infrastructure-as-code; LiteLLM, a popular library for routing requests across AI model APIs; and the Telnyx Python SDK.

These aren’t niche utilities. They’re commonly integrated into enterprise CI/CD pipelines, cloud infrastructure workflows, and security scanning processes. Hitting them means hitting a large number of organizations simultaneously through a single poisoned update.

The group also deployed four distinct malware families. CanisterWorm harvested cloud access tokens, credentials, and API keys for AWS, GCP, and Azure. SANDCLOCK extracted AWS credentials, Kubernetes ServiceAccount tokens, local environment variables, and cryptocurrency wallet data. Mini Shai-Hulud was a self-replicating worm designed to spread across both npm and PyPI registries. Miasma was a variant of Mini Shai-Hulud that propagated across those same open-source registries while harvesting credentials and poisoning configuration files.

The worm component is the part that deserves particular attention. Mini Shai-Hulud and its Miasma variant didn’t just infect the initial target and stop. They spread across open-source package registries autonomously, harvesting credentials and poisoning configuration files as they went. The FBI confirmed two GitHub repository names used for exfiltration: tpcp-docs and docs-tpcp. If either of those repository names appears in your GitHub organization, the worm created it using stolen credentials.

“By weaponizing these supply chain entry points, the threat actors were able to introduce malicious code into victim environments at scale. TeamPCP has also engaged in extortion and collaboration with cyber actors from other threat actor groups, including publishing victim names on a public leak site and threatening disclosure of stolen data.” states the alert.

The FBI warns that credentials and data stolen in this campaign should be considered permanently compromised, as they could be reused by TeamPCP or affiliated threat actors in future attacks, even months or years after the initial breach.

“Organizations impacted by this campaign should treat exfiltrated data and credentials as a persistent risk, as affiliated threat actors are likely to weaponize them long after the initial compromise.” concludes the alert.

That’s not a hypothetical. It means credentials stolen in this campaign may surface in attacks months or years from now, even after the immediate incident is closed.

How they got into npm accounts?

One technique the FBI specifically flags is worth calling out: TeamPCP exploited npm package maintainer accounts by targeting stale or expired recovery email domains. If a developer registered an npm account years ago with a work email that’s since been decommissioned, the domain may be available for registration. Whoever registers it can use the password reset flow to take over the npm account and publish malicious versions of whatever packages that maintainer owns. It’s an old technique, and it still works because nobody audits their old recovery emails.

The four CVEs associated with this campaign are CVE-2026-33634, CVE-2026-48027, CVE-2026-45321, and CVE-2025-55182. Six IP addresses appear in the indicators: 83.142.209.11, 45.148.10.212, 83.142.209.194, 83.142.209.203, 94.154.172.43, and 67.217.57.240. The indicator set also includes 27 file hashes and a set of domains including checkmarx[.]zone, models.litellm[.]cloud, git-tanstack[.]com, and recv.hackmoltrepeat[.]com, among others. The indicators in this alert are derived from Palo Alto Unit 42’s technical research into the campaign.

The FBI’s recommendations focus on the specific mechanisms TeamPCP exploited. Pin GitHub Actions workflows to verified commit SHA hashes rather than floating version tags, since floating tags can be redirected to point at malicious commits without changing the reference in your workflow file. Rotate all CI/CD secrets, publishing tokens, and cloud credentials that were accessible during the campaign’s active window. Enforce least-privilege permissions on CI/CD service accounts and scope registry publishing tokens to prevent them from being used across repositories.

Require phishing-resistant MFA on all accounts with code repository or package registry publishing access. Enforce a minimum package age threshold of at least seven days across package installation environments, which gives the community time to detect and report malicious versions before they propagate widely. Audit npm maintainer accounts for stale or expired recovery email domains. Implement runtime behavioral monitoring on CI/CD pipeline runners to catch unexpected outbound network connections.

On credential hygiene specifically: store secrets in dedicated encrypted secret managers, not in code or configuration files; prefer temporary credentials over static ones; rotate everything immediately after any suspected compromise; and scan repositories and logs for exposed secrets with automated tooling.

“TeamPCP has also engaged in extortion and collaboration with cyber actors from other threat actor groups, including publishing victim names on a public leak site and threatening disclosure of stolen data.” The FLASH concludes.

That collaboration angle means the stolen data has already been shared beyond the original group.

Organizations that believe they’ve been hit should report to their local FBI field office or to IC3 at ic3.gov, and should retain CI/CD pipeline logs, network logs, affected package names and versions, any exposed credentials, and any extortion communications they’ve received.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, TeamPCP)







Source link

Leave a Reply

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

Recent Reviews


gettyimages-647882122

S847/iStock / Getty Images Plus

Follow ZDNET: Add us as a preferred source on Google.


ZDNET’s key takeaways

  • Staff who use AI can end up with more to do, not less.
  • Think carefully about the tools you’re using and why.
  • Adopt a set of standards and refine your outputs.

The promise of productivity boosts from AI can come with an unwelcome side order of stress. Harvard Business Review found that AI doesn’t reduce work; it intensifies it, leading to cognitive fatigue and unsustainable hours.

While the common perception is that AI can help reduce workloads, allowing employees to focus more on higher-value and more engaging tasks, HBR’s research found that staff using AI worked more quickly and often ended up with more to do, not less.

Also: Forget productivity: Here are 5 strategic shifts that drive real AI value

While we’ve written about how some professionals are finding ways to turn AI’s time-saving magic into a productivity superpower, we’ve also recognized that some employees have started to become tired with the low quality of AI outputs.

Ankur Anand, group CIO at tech recruiter Harvey Nash, said professionals who want to avoid cognitive fatigue must understand how to use AI effectively and its potential risks.

“That focus will help to reduce the noise around the workload that AI creates,” he told ZDNET, suggesting that many people have unrealistic expectations about the productivity boost that AI will provide.

Also: Why I ditched Copilot for Claude in Word, Excel, and PowerPoint – and how you can, too

“Many organizations are telling their people, ‘We want to understand how you’re making an impact with AI,'” he said. “But these professionals are not empowered, which means that using AI adds a lot of pressure, because they need to prove themselves on their own terms.”

If you’re going to make the most of AI at work, then you’re going to have to find an effective balance between completing tasks quickly and producing high-quality work. 

Here’s how the experts believe professionals can ensure they reap the benefits, not the problems, of AI — and they suggest that you’ll need to focus on three core areas: tools, guidelines, and outputs.

Limit your toolset

Alex Read, senior enterprise product manager for data at energy provider EDF UK, told ZDNET that the best way for professionals to reap the benefits, not the challenges, of AI is to be uber-focused on tools that help you produce value in your roles.

While there are thousands of potential AI-enabled services on the market, Read said sensible professionals limit their horizons.

Also: How this travel company’s AI rollout drove a 73% satisfaction boost: A 5-step playbook for your business

In his own role, for example, Read focuses on how AI can help him build a data platform and update information accurately, efficiently, and productively: “Anything outside of that scope is noise for me.”

That sentiment resonated with Nick Pearson, CIO at technology specialist Ricoh Europe, who told ZDNET it’s important to take a step back and think carefully about how an AI tool can help you produce value in your role.

“If you think about the phrase ‘gen AI,’ the tech is very good, by definition, at generating outputs,” he said. “I could go to bed in the evening, set the model to work, and we could have four new IT strategies produced overnight.”

Also: Worried AI agents will replace you? 5 ways you can turn anxiety into action at work

However, quantity doesn’t necessarily mean quality. Pearson suggested it’s important to focus on AI’s blind spots, particularly as most models are trained on preexisting content.

“AI can’t inspire people, per se; it can’t naturally create something new, because it’s actually quite recursive,” he said.

“And the judgment you have to put in sometimes, on top of everything else, whether it be an ethical or a capability judgment, is not there automatically in the technology.”

It’s in this gap, said Pearson, that human experts play a critical role: “We’re toying with that concern as an organization and saying, ‘Where does AI really play an important role, versus where are we upskilling people in areas that AI probably won’t play for a long time?'”

Work to the guidelines

HBR’s research found that an initial productivity surge when AI is adopted can lead to lower-quality work, turnover, and other problems as people work harder rather than smarter.

To correct this issue, HBR said companies need to adopt an “AI practice,” or a set of norms and standards around AI use that help professionals ensure they use AI in a constrained but productive manner.

Also: 90% of AI projects fail – here are 3 ways to ensure yours doesn’t

At EDF UK, Read is part of an internal AI Center of Excellence in enterprise IT, which enables policy for the effective use of AI across the wider organization. 

In addition to Read, who contributes input from a data-use perspective, the group includes other tech representatives, such as the firm’s senior manager of AI, principal software engineer, and principal solution architect.

“The remit of this center is to make sure that, when the federated business units are looking to build, develop, and deploy AI services, they have platforms, guidance, best practices, architectural assets, and materials to guide them on how to safely and efficiently adopt AI and operationalize it at scale,” he said.

Some of the key themes the center considers when assessing AI tools are scalability and reusability, ensuring a proposed service doesn’t replicate one already in use.

Also: 5 ways to use AI when your budget is tight

“All new tools and services related to AI will go through that hopper and funnel to understand scope and ensure the security, regulatory, and ethical side of things are understood,” he said, suggesting that all professionals should use their organization’s pre-existing guidelines to foster an appropriate exploitation of emerging tech.

“The benefit that guided approach brings is that it allows us to be clear in our messaging around what AI services can be used, how they’re used from a use-case perspective, and ultimately, what personas are allowed to use them.”

Refine your outputs

Even when tools are assessed and considered acceptable, there can still be an overreliance on AI outputs. Worse, some professionals can drown in the insights they receive, leading to higher stress and fewer benefits.

Louise Newbury-Smith, head of UK&I at technology specialist Zoom, told ZDNET that one way to ensure your outputs are constrained is to focus on prompting.

“Use simple amendments to be specific, such as ‘Give me the top three things with the biggest impact.’ That approach should guide your prompt, rather than saying, ‘Give me everything you know about this topic.'”

Also: 5 ways to fortify your network against the new speed of AI attacks

Newbury-Smith said the successful use of AI is all about being smart about how it’s exploited, and that effectiveness comes down to enablement and engagement. If a prompt yields too much information, refine it until you get what you need. She said this should still be faster than trying to get answers without AI.

The basic message for professionals is that effective applications of AI are all about you staying in the loop, said Bernhard Seiser, vice president of digital, data, and IT at AOP Health.

Think before you use AI, and think again before you push your outputs around the organization.

“It doesn’t help the business if you get AI-generated emails that are many pages long, and then you need ChatGPT to summarize the text,” he told ZDNET.

Seiser said that while there are certain tasks generative AI is good at and worth using for, in the end, “you need to use your brain.”





Source link