Threat Advisory

TeamPCP Supply Chain Attack Extracts Kubernetes API Tokens from Open Source Registries

Threat: Supply Chain Attack
Threat Actor Type: TeamPCP
Targeted Region: Global
Alias: DeadCatx3, PCPcat, ShellForce
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]


EXECUTIVE SUMMARY:

A software supply chain compromise has been observed involving the group TeamPCP, which targets widely used developer tools and security-related packages. The campaign focuses on infiltrating trusted software distribution ecosystems by exploiting CVE-2026-33634, CVE-2026-48027, CVE-2026-45321, and CVE-2025-55182 to deliver malicious updates that appear legitimate while secretly enabling unauthorized access to victim environments. The primary objective of the activity is to compromise enterprise development pipelines and extract sensitive credentials and operational data at scale, creating long-term access to affected systems.[/subscribe_to_unlock_form]


EXECUTIVE SUMMARY:

A software supply chain compromise has been observed involving the group TeamPCP, which targets widely used developer tools and security-related packages. The campaign focuses on infiltrating trusted software distribution ecosystems by exploiting CVE-2026-33634, CVE-2026-48027, CVE-2026-45321, and CVE-2025-55182 to deliver malicious updates that appear legitimate while secretly enabling unauthorized access to victim environments. The primary objective of the activity is to compromise enterprise development pipelines and extract sensitive credentials and operational data at scale, creating long-term access to affected systems.[emaillocker id="1283"]

The attackers achieved compromise by injecting malicious code into legitimate open-source and developer tools, including components commonly used in CI/CD pipelines and cloud-native environments. Once integrated, these trojanized packages delivered hidden payloads capable of harvesting high-value secrets such as cloud access tokens, SSH keys, Kubernetes credentials, and environment variables. Multiple malicious modules were identified, including credential-harvesting tools designed to target major cloud platforms and cryptocurrency wallets, as well as self-propagating mechanisms that spread across package repositories like npm and PyPI. Variants of the malware exhibited worm-like behavior, enabling cross-ecosystem propagation while also modifying configuration files to maintain persistence and broaden infection scope. In addition, the activity involved data theft tooling capable of extracting sensitive authentication material from developer systems and cloud services, which was then exfiltrated for later exploitation or extortion.

This campaign demonstrates a high-impact supply chain threat capable of compromising large-scale software ecosystems through trusted development pipelines. The ability to weaponize widely used tools significantly increases the blast radius of infection, placing both primary targets and downstream users at risk. Organizations exposed to this activity should assume long-term compromise of credentials and secrets, as stolen data may be reused or monetized by affiliated threat actors. Strengthening software integrity controls, validating dependencies, and continuously monitoring development environments are essential to reducing exposure to similar supply chain intrusions.

 

THREAT PROFILE:

Tactic Technique Id Technique Sub-technique
Initial Access T1195.002 Supply Chain Compromise Compromise Software Supply Chain
Execution T1059.006 Command and Scripting Interpreter Python
Persistence T1547.001 Boot or Logon Autostart Execution Registry Run Keys / Startup Folder
Stealth T1027.010 Obfuscated Files or Information Command Obfuscation
Credential Access T1552.001 Unsecured Credentials Credentials In Files
T1555.003 Credentials from Password Stores Credentials from Web Browsers
T1528 Steal Application Access Token -
Discovery T1087.004 Account Discovery Cloud Account
Lateral Movement T1210 Exploitation of Remote Services -
Exfiltration T1041 Exfiltration Over C2 Channel -
Impact T1486 Data Encrypted for Impact -

 

REFERENCES:

The following reports contain further technical details:

https://securityonline.info/teampcp-supply-chain-attack/

https://www.ic3.gov/CSA/2026/260702.pdf

[/emaillocker]
crossmenu