TEAMPCP

ISSUE #1

Origin & Profile

ACTIVE SINCE SEP 2025

The Origin

Emerged targeting exposed cloud APIs — Docker, Kubernetes, Ray, Redis. December 2025 pivot: mass-exploits React2Shell (CVE-2025-55182, CVSS 10.0), a critical RCE in React Server Components. Key operative MegaGame10418 exploited a PwnRequest vulnerability in Trivy's CI on Feb 27, 2026 — stealing the PAT that seeded the entire supply chain campaign.

Financially MotivatedSupply Chain

SIGNATURE MOVE

Cascade Compromise

Compromise one trusted security scanner → harvest CI/CD tokens from thousands of pipelines → infect the downstream packages those developers maintain. Self-attribution in payload: "TeamPCP Cloud stealer". Anti-attribution: exits immediately if Russian locale detected.

ICP Blockchain C2Self-Spreading Worm

CRIMINAL NETWORK

The Alliance

Partnerships with CipherForce (proprietary ransomware), Vect ransomware group, and LAPSUS$ extortion network. Functions as an access generation engine feeding multiple ransomware ecosystems simultaneously. Telegram @teampcp grew 700 → 1,180+ during the March 2026 campaign wave.

Vect RansomwareCipherForceLAPSUS$

⚡ REACT2SHELL — CVE-2025-55182 — CVSS 10.0

Critical unauthenticated RCE in React Server Components + Next.js. Single crafted POST triggers server-side deserialization → arbitrary Node.js execution. Port 666 used in exploit operations. TeamPCP mass-exploited in December 2025 to build criminal cloud infrastructure across Docker, Kubernetes, Ray, Redis globally — the foundation for the 2026 supply chain series.

rescana.com →

🐱 nsa[.]cat + "TeamPCP Cloud stealer"

Attacker VPS nsa[.]cat identified in campaign infrastructure (ramimac.me). Self-attribution string "TeamPCP Cloud stealer" hardcoded in trivy-action payloads. Fallback: creates tpcp-docs repository in victim GitHub orgs as secondary exfil channel (Wiz). The cat-mask identity is consistent across artwork, social channels, and payload naming.

ramimac.me →

ISSUE #2

The Attack Chain

One misconfigured GitHub Action. Eight campaigns. Six ecosystems. One blockchain that can't be shut down.

Entry Point Credential Harvest Worm Spread Payload Deployed C2 Infrastructure Victim Machine

ISSUE #3

Nine Campaigns

00

React / Node.js

PRE-CAMPAIGN · DEC 2025

React2Shell — The Origin

CVSS 10.0 critical unauthenticated RCE in React Server Components + Next.js (CVE-2025-55182 + CVE-2025-29927). Single crafted POST triggers server-side deserialization → arbitrary Node.js code execution. TeamPCP mass-exploited at scale against Docker, Kubernetes, Ray, Redis deployments globally. Port 666 used in exploitation operations. This campaign built the criminal cloud infrastructure deployed in the 2026 supply chain series. Simultaneously, operative MegaGame10418 exploited a PwnRequest vulnerability in Trivy's CI on February 27, 2026, exfiltrating Aqua Security's Personal Access Token — the key that unlocked every campaign that followed.

CVE-2025-55182CVE-2025-29927MegaGame10418Port 666

Unit42 · Rescana · react2shell.com · ramimac.me

01

GitHub Actions

MARCH 19, 2026 · 17:43 UTC

Trivy Scanner Hijacked

PAT stolen via pull_request_target misconfiguration. Force-push over 75/76 trivy-action tags + 7 setup-trivy tags. Every CI/CD pipeline running Trivy that day had secrets harvested. Memory scraping via /proc/<pid>/mem bypasses GitHub secret masking. C2 typosquat: scan.aquasecurtiy[.]org. Fallback: tpcp-docs repo created in victim orgs. Trivy v0.69.5–v0.69.6 pushed to Docker Hub. CVE-2026-33634 (CVSS 9.4).

scan.aquasecurtiy[.]org45.148.10.212CVE-2026-33634tpcp.tar.gznsa[.]cat

Mend.io · Wiz · Unit42 · ramimac.me

02

npm

MARCH 20 · 20:45 UTC

CanisterWorm

First npm worm with ICP blockchain C2. Canister tdtqy-oyaaa-aaaae-af2dq-cai serves rotating payloads — no takedown point. Kill-switch returns YouTube URL. 66+ packages infected: @emilgroup (28), @opengov (16), @teale.io, @airtm, @pypestream. April 21 second wave: @automagik/genie, pgserve, @fairwords/websocket — second canister ID. pgmon systemd backdoor disguised as PostgreSQL monitor; 5-min sandbox delay, 50-min C2 poll.

tdtqy-oyaaa-aaaae-af2dq-caipgmon.service

Mend.io · Aikido

03

PyPI

MARCH 24

LiteLLM Poisoned

Trivy-poisoned CI handed TeamPCP PYPI_PUBLISH_PASSWORD for krrishdholakia. v1.82.7 + v1.82.8 (~95M monthly downloads). v1.82.8 escalates to .pth file in site-packages — fires on every Python startup even after uninstall. AES-256-CBC + RSA-2048. Kubernetes cluster escape via privileged pod (hostPID:true). Also: KICS (35 tags), Checkmarx AST v2.3.28.

models.litellm.cloudcheckmarx.zonelitellm_init.pth

Mend.io · ReversingLabs · Datadog

04

PyPI

MARCH 27

Telnyx — WAV Steganography

telnyx v4.87.1 + v4.87.2. Novel delivery: payload XOR-encoded inside fake .wav audio files fetched live at runtime — ringtone.wav (Linux/macOS), hangup.wav (Windows). Same C2 IP as LiteLLM: 83.142.209.203:8080, identical RSA key, same exfil archive name. Windows: msbuild.exe dropped into Startup folder, CREATE_NO_WINDOW, hidden lock file — no admin required. Linux: detached subprocess with start_new_session=True. Same wave: Checkmarx VS Code extensions (checkmarx.ast-results v2.53) published to Open VSX (ReversingLabs).

83.142.209.203:8080ringtone.wavhangup.wavmsbuild.exe (Startup)

Mend.io · ReversingLabs · Akamai

05

PyPI

APRIL 22, 2026

Xinference — "That Wasn't Us"

xinference 2.6.0–2.6.2 targeting AI inference infrastructure. Fire-and-forget: no persistence, no encryption — data gzipped as love.tar.gz, POSTed raw with custom header X-QT-SR: 14 to whereisitat.lucyatemysuperbox.space. Full AWS Sig4 implementation queries Secrets Manager + SSM Parameter Store directly. Exhaustive crypto wallet sweep including Solana validator keypairs. First decoded line of payload: # hacked by teampcp. Plot twist: @pcpcats publicly denied responsibility on Twitter — "if you're this copycat using our team name, DM me." First time a TeamPCP-attributed payload was publicly disputed by the group itself. Possible copycat, false flag, or deniability operation. KICS Docker images also compromised the same day (Socket.dev).

whereisitat.lucyatemysuperbox.spaceX-QT-SR: 14love.tar.gz# hacked by teampcp@pcpcats denial

Mend.io · GitGuardian

06

npm

APRIL 23, 2026

@bitwarden/cli — The CI Chain

Chain: KICS Docker → Bitwarden pull_request_target (id-token: write) → stolen GitHub OIDC → unsigned commit impersonating iinuwa@bitwarden.com → double-base64 npm token leaked in CI logs → @bitwarden/cli@2026.4.0 published 4 minutes later. C2 typosquat: audit.checkmarx.cx (named after the entry tool, vs real checkmarx.com). Test account helloworm00@proton.me validated beautifulcastle GitHub dead-drop channel 2 days prior. 9.7MB obfuscator.io payload: 43,436-entry string table, PBKDF2 S-box cipher for 58 sensitive strings, 6 gzip blobs. New capability: AI assistant poisoning writes invisible payload to shell configs that surface in AI context windows.

audit.checkmarx.cxhelloworm00@proton.mebeautifulcastle C2api.cloud-aws.adc-e.uk

Mend.io · JFrog · Socket.dev

07

npm

APRIL 29, 2026 · 11:23 UTC

Shai-Hulud — SAP cap-js via Claude Code

Most novel vector yet: malware detected Claude Code's GitHub integration running on an infected SAP developer machine and hijacked it — committing as claude@users.noreply.github.com with no token theft required. 11:23 UTC malicious commit 0a3dd44d. Modified release-please.yml to extract short-lived npm OIDC tokens — stripped SLSA provenance. By 11:25 UTC four packages published: @cap-js/sqlite@2.2.2, @cap-js/postgres@2.2.2, @cap-js/db-service@2.10.1, mbt@1.2.48. 12:12 UTC: persistence deployed via .claude/settings.json SessionStart hook re-running .vscode/setup.mjs dropper on every future IDE launch. Payload: preinstall hook → setup.mjs dropper; obfuscation upgraded to 49,093-entry string table + PBKDF2/SHA256 S-box cipher + 6 gzip blobs; 39 target paths including ~/.claude.json and ~/.kiro/settings/mcp.json. Python memory dumper targets Runner.Worker process in CI. Self-propagation: enumerates npm tokens → injects into accessible packages → republishes as package-updated.tgz. Repo descriptions read: "A Mini Shai-Hulud has Appeared" (Dune universe naming). SAP emergency response 13:33 UTC; clean releases by 13:45.

claude@github.claude/settings.jsonNo SLSA provenancesetup.mjsapi.cloud-aws.adc-e.ukpackage-updated.tgz

Mend.io · BleepingComputer · The Hacker News

08

PyPI · npm · Packagist

APRIL 30, 2026 — CROSS-ECOSYSTEM

Mini Shai-Hulud — Three Ecosystems, One Day

Three ecosystems hit simultaneously on April 30. Root cause: an Intercom developer installed pyannote-audio, which pulled in compromised lightning@2.6.2 (PyPI) as a transitive dependency — giving attackers a GitHub token. From there: intercom-client@7.0.4 (npm, ~360K weekly downloads) trojanized via compromised GitHub account nhur using fake Dependabot commit conventions. Within hours: intercom/intercom-php@5.0.2 (Packagist, ~285K installs/month) converted to a Composer plugin executing on post-install-cmd. All three share the same 11.7 MB obfuscated router_runtime.js payload — bootstrapped by Bun v1.3.13 downloaded from GitHub, exfiltrating via GitHub API (RSA-encrypted) with fallback to zero.masscan.cloud:443. New targets: crypto wallets (Bitcoin, Monero, Exodus, Ledger), VPN configs (NordVPN, ProtonVPN), Discord/Slack sessions. Repository poisoning injects .claude/router_runtime.js + .claude/settings.json into up to 50 branches per repo, committed as claude@users.noreply.github.com. Payload strings: "A Mini Shai-Hulud has Appeared", "EveryBoiWeBuildIsAWormyBoi", "Exiting as russian language detected!" (same anti-attribution geofence as CanisterWorm). Attribution: onion link in GitHub disclosures claimed TeamPCP + LAPSUS$ involvement.

lightning@2.6.2/2.6.3intercom-client@7.0.4intercom/intercom-php@5.0.2zero.masscan.cloudrouter_runtime.jsnhur (GitHub)claude@github commits

Socket.dev · Aikido · Socket.dev (intercom)

ISSUE #4

Infrastructure & Arsenal

C2 ARCHITECTURE

Command & Control

tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io — ICP blockchain canister. No takedown. Methods: get_latest_link, update_link.
checkmarx[.]zone — LiteLLM backdoor polling (~50 min interval)
83.142.209.203:8080 — LiteLLM + Telnyx exfil server
scan.aquasecurtiy[.]org → 45.148.10.212 — Trivy C2 typosquat
audit.checkmarx[.]cx — Bitwarden C2 typosquat
whereisitat.lucyatemysuperbox[.]space — Xinference exfil
api.cloud-aws.adc-e[.]uk — Fake AWS SDK partition
nsa[.]cat — Attacker VPS (ramimac.me)
Cloudflare Tunnels — GitHub Actions exfil (Unit42)
tpcp-docs — Fallback repo in victim GitHub orgs
zero[.]masscan[.]cloud:443/v1/telemetry — Mini Shai-Hulud exfil (AES-256-GCM + RSA-OAEP)

PERSISTENCE

Foothold Mechanisms

~/.local/share/pgmon/service.py + systemd — CanisterWorm. 5-min delay, 50-min poll.
litellm_init.pth in site-packages — fires on Python start after uninstall
~/.config/sysmon/sysmon.py + systemd — LiteLLM polling backdoor
%APPDATA%\...\Startup\msbuild.exe — Telnyx Windows, no admin
.claude/settings.json SessionStart hook — re-infects on IDE open
.vscode/setup.mjs — dropper paired with Claude Code hook

CUSTOM ARSENAL

Toolset

Bun v1.3.13 — from GitHub CDN, keeps dropper clean
obfuscator.io — 43K–49K string tables, PBKDF2 S-box, gzip blobs
WAV steganography — XOR-encoded payload in audio frames
TruffleHog — post-exfil credential validation (Wiz)
Nord Stream tool — branch: dev_remote_ea5Eu/test/v1
Mullvad VPN — 138.199.15.172, 154.47.29.12, 170.62.100.245
Russian locale exit — LANG/LC_ALL anti-attribution geofencing
AI poisoning — shell config writes that land in AI context

ISSUE #5

Indicators of Compromise

Domain / URL	Purpose	Campaign
`scan.aquasecurtiy[.]org`	Trivy C2 (typosquat aquasecurity)	Trivy
`checkmarx[.]zone`	KICS/LiteLLM C2 polling + VSX exfil	LiteLLM
`models.litellm[.]cloud`	LiteLLM primary exfil	LiteLLM
`audit.checkmarx[.]cx`	Bitwarden C2 (typosquat checkmarx.com)	Bitwarden
`whereisitat.lucyatemysuperbox[.]space`	Xinference exfil	Xinference
`api.cloud-aws.adc-e[.]uk`	Fake AWS SDK partition redirect	Bitwarden / cap-js
`tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0[.]io`	ICP canister C2 — no takedown	CanisterWorm
`nsa[.]cat`	Attacker VPS	Campaign infra
`zero[.]masscan[.]cloud`	Mini Shai-Hulud exfil (:443/v1/telemetry)	Mini Shai-Hulud

IP	Notes	Source
`45.148.10.212`	TECHOFF SRV LIMITED, Amsterdam — Trivy C2	Wiz
`83.142.209.203`	LiteLLM + Telnyx exfil (:8080)	Mend.io
`83.142.209.11`	checkmarx[.]zone resolution	Sysdig
`23.142.184.129`	TeamPCP infrastructure	Unit42
`63.251.162.11`	TeamPCP infrastructure	Unit42
`195.5.171.242`	TeamPCP infrastructure	Unit42
`138.199.15.172`	Mullvad VPN (Datacamp Ltd)	Wiz
`154.47.29.12`	Mullvad VPN exit	Wiz
`170.62.100.245`	Mullvad VPN exit	Wiz
`193.32.126.157`	Mullvad VPN exit	Wiz
`105.245.181.120`	Vodacom callback proxy	Wiz

Package	Version(s)	Ecosystem
`aquasecurity/trivy-action`	75/76 tags hijacked	GitHub Actions
`aquasecurity/setup-trivy`	7 tags hijacked	GitHub Actions
`checkmarx/kics-github-action`	All 35 tags	GitHub Actions
`checkmarx/ast-github-action`	v2.3.28	GitHub Actions
`litellm`	1.82.7, 1.82.8	PyPI
`telnyx`	4.87.1, 4.87.2	PyPI
`xinference`	2.6.0, 2.6.1, 2.6.2	PyPI
`@bitwarden/cli`	2026.4.0	npm
`@cap-js/sqlite`	2.2.2	npm
`@cap-js/postgres`	2.2.2	npm
`@cap-js/db-service`	2.10.1	npm
`mbt`	1.2.48	npm
`checkmarx.ast-results`	v2.53	Open VSX
`checkmarx.cx-dev-assist`	v1.7.0	Open VSX
`@emilgroup/*` (28 pkgs)	Worm-infected	npm
`@opengov/*` (16 pkgs)	Worm-infected	npm
`@automagik/genie`	4.260421.33–39	npm (Apr 21)
`pgserve`	1.1.11–1.1.13	npm (Apr 21)
`@fairwords/websocket`	1.0.38, 1.0.39	npm (Apr 21)
`lightning`	2.6.2, 2.6.3	PyPI (Apr 30)
`intercom-client`	7.0.4	npm (Apr 30)
`intercom/intercom-php`	5.0.2	Packagist (Apr 30)

Path / Artifact	Description
`~/.local/share/pgmon/service.py`	CanisterWorm C2 backdoor (pgmon masquerade)
`~/.config/systemd/user/pgmon.service`	CanisterWorm systemd persistence
`litellm_init.pth` (site-packages)	Fires on every Python start after uninstall
`~/.config/sysmon/sysmon.py`	LiteLLM polling backdoor
`/tmp/pglog`	Payload execute target (both backdoors)
`/tmp/.pg_state`	C2 state tracking file
`tpcp.tar.gz`	Self-referential exfil archive
`love.tar.gz`	Xinference exfil archive
`%APPDATA%\...\Startup\msbuild.exe`	Telnyx Windows startup, hidden lock
`.claude/settings.json`	SAP cap-js SessionStart hook re-fires on IDE open
`.vscode/setup.mjs`	Shai-Hulud dropper copy paired with Claude Code hook
`package-updated.tgz`	Worm self-republish artifact (SAP wave)
`tmp.987654321.lock`	Anti-double-execution lock (Shai-Hulud)
`config.mjs`	Bun runtime download logic (Shai-Hulud)
`tpcp-docs` (GitHub repo)	Fallback exfil in victim GitHub org
`.claude/router_runtime.js`	Mini Shai-Hulud 11.7 MB obfuscated payload (repo-poisoning)
`.claude/settings.json` (Mini Shai-Hulud)	Injected into up to 50 branches per repo
`setup-intercom.sh`	Packagist dropper — downloads Bun 1.3.13, runs router_runtime.js
`src/composerPlugin.php`	Converts intercom-php into Composer plugin for post-install execution

SHA256	Notes
`30015DD1E2CF4DBD49FFF9DDEF2AD4622DA2E60E5C0B6228595325532E948F14`	Self-signed TLS cert (Telnyx wave)
`41C4F2F37C0B257D1E20FE167F2098DA9D2E0A939B09ED3F63BC4FE010F8365C`	Self-signed TLS cert (Telnyx wave)
`D8CAF4581C9F0000C7568D78FB7D2E595AB36134E2346297D78615942CBBD727`	Self-signed TLS cert (Telnyx wave)

Account / Identity	Details
`@pcpcats`	Twitter/X — posted xinference denial; monitor for campaign announcements
`@teampcp` (Telegram)	Primary channel — grew 700 → 1,180+ during March 2026 wave
`@Persy_PCP` (Telegram)	Earlier/secondary Telegram identity (Flare.io, ramimac.me)
`MegaGame10418`	Operative who exploited Feb 27 PwnRequest to steal Aqua PAT
`helloworm00@proton.me`	GitHub test account — validated beautifulcastle C2 channel Apr 20
`claude@users.noreply.github.com`	Claude Code identity hijacked to commit to SAP cap-js
`aqua-bot`	Compromised Aqua service account used in Trivy tag spoofing
`iinuwa@bitwarden.com`	Real Bitwarden developer impersonated in unsigned CI commit
`krrishdholakia`	LiteLLM PyPI maintainer — credentials stolen via Trivy-poisoned CI
`nhur`	Compromised GitHub account — used to publish intercom-client@7.0.4
`tdtqy-oyaaa-aaaae-af2dq-cai`	ICP canister ID — CanisterWorm primary C2
`cjn37-uyaaa-aaaac-qgnva-cai`	ICP canister ID — April 21 wave (The Register)

ISSUE #6

MITRE ATT&CK®

T1195.001Supply Chain Compromise: Develop ToolsInitial Access T1059.007JavaScript (postinstall/preinstall hooks)Execution T1059.006Python (.pth import-time execution)Execution T1547.013XDG Autostart / systemd User ServicePersistence T1036Masquerading (pgmon, msbuild.exe, typosquat domains)Defense Evasion T1027Obfuscated Files (triple base64, PBKDF2 cipher, gzip)Defense Evasion T1552.001Credentials in Files (SSH, .npmrc, .env, cloud configs)Credential Access T1552.005Cloud IMDS API (AWS IMDS + Secrets Manager)Credential Access T1611Escape to Host (privileged K8s pod, host FS mount)Privilege Escalation T1102Web Service (ICP blockchain as C2 dead-drop)C2 T1041Exfil Over C2 Channel (AES-256+RSA-4096 tpcp.tar.gz)Exfiltration T1098Account Manipulation (Claude Code hook injection)Persistence

ISSUE #7

Origin & Profile

The Origin

Cascade Compromise

The Alliance

The Attack Chain

Nine Campaigns

Infrastructure & Arsenal

Command & Control

Foothold Mechanisms

Toolset

Indicators of Compromise

MITRE ATT&CK®

Sources

Mend.io Series

External Research