DEV Community

Cover image for One Stolen Token. Five Ecosystems. The TeamPCP Supply Chain Attack Is Still Spreading.
Nick Stocks
Nick Stocks

Posted on • Originally published at mistaike.ai

One Stolen Token. Five Ecosystems. The TeamPCP Supply Chain Attack Is Still Spreading.

#security #supplychain #cve #aiinfrastructure

On March 19, a threat actor group called TeamPCP used a compromised GitHub service account to force-push malicious code to 76 of 77 version tags for Trivy — one of the most widely-used security scanners in CI/CD pipelines.

Ten days later, five ecosystems are compromised — GitHub Actions, Docker Hub, npm, Open VSX, and PyPI — and the attack is still expanding.

What makes this different from a typical supply chain incident is the mechanism: each compromise harvests credentials that fuel the next one. It's not a single point of failure. It's a self-propagating chain where every breached package becomes both victim and vector.

Two days ago we covered the LiteLLM incident in isolation. Since then, the picture has changed. This is a coordinated campaign by a single actor, and its scope is significantly wider than any individual incident suggested.

The Cascade

Here is the timeline, based on analysis from Datadog Security Labs, SANS, Arctic Wolf, and Endor Labs.

March 19 — Trivy (GitHub Actions, Docker Hub)

TeamPCP had compromised Aqua Security's aqua-bot service account at an unknown earlier date. On March 19, they used it to force-push malicious code to 75 of 76 version tags in aquasecurity/trivy-action and all 7 tags in aquasecurity/setup-trivy. Any CI/CD pipeline that ran trivy-action@v1 or any non-pinned tag after this point executed the attacker's code instead of the real scanner.

The payload was a three-stage credential stealer. It swept environment variables, .env files, shell histories, SSH keys, cloud provider credentials, and Kubernetes tokens. Stolen data was encrypted with AES-256-CBC + RSA-4096 (OAEP padding) and exfiltrated as tpcp.tar.gz.

March 23 — Checkmarx KICS (GitHub Actions, npm, Open VSX)

Using CI/CD secrets harvested from the Trivy compromise, TeamPCP pivoted to Checkmarx. They compromised two GitHub Actions repositories — ast-github-action and kics-github-action — along with related npm packages and Open VSX extensions. Sysdig documented that over 66 npm packages were poisoned through a self-propagating worm component they call CanisterWorm. Stolen npm tokens from compromised CI/CD environments were automatically weaponized to infect victim-maintained packages — creating new upstream compromises without attacker intervention.

This is where the attack shifted from targeted to exponential.

March 24 — LiteLLM (PyPI)

LiteLLM's CI/CD pipeline ran unpinned Trivy. The compromised scanner injected malicious code into LiteLLM's build process. Versions 1.82.7 and 1.82.8 were pushed to PyPI through what appeared to be a legitimate maintainer account.

LiteLLM processes roughly 95 million downloads per month and sits between applications and their LLM providers — OpenAI, Anthropic, AWS Bedrock, GCP Vertex AI. It has access to every API key configured in the deployment. The credential harvester did not need to be sophisticated. It was already in the room where the secrets live.

Version 1.82.8 was the higher-risk package: it used a .pth file that executes automatically when the Python interpreter starts, not just when the package is imported.

The attack window was approximately 5.5 hours (10:39–16:00 UTC on March 24). LiteLLM's post-incident report confirms they've engaged Mandiant for forensic analysis.

March 27 — Telnyx (PyPI)

Three days after LiteLLM, TeamPCP published malicious versions of the Telnyx Python SDK — versions 4.87.1 and 4.87.2. Telnyx averages 742,000 downloads per month.

Endor Labs attributes this directly to the LiteLLM compromise: TeamPCP's credential harvester swept environment variables, .env files, and shell histories from every system that imported the poisoned LiteLLM packages. If any developer or CI pipeline had both LiteLLM installed and access to the Telnyx PyPI token, that token was already in TeamPCP's hands.

The Telnyx compromise introduced a new technique: audio file steganography.

Hiding Malware in a WAV File

The malicious code was injected into telnyx/_client.py, which runs at import time. No install hook. No postinstall script. Just import telnyx and the payload executes.

On execution, the malware downloads a file called hangup.wav from a remote server. The file looks like a normal WAV audio file. It is not.

According to StepSecurity's analysis and SafeDep's technical breakdown, the WAV file contains an XOR-obfuscated executable packed into the audio frame bytes using Python's built-in wave module:

  1. The malware reads the audio frame data from the WAV file
  2. The first 8 bytes of the decoded blob are the XOR key
  3. The remaining bytes are XOR'd against that key in a repeating pattern
  4. The result is a credential-stealing executable

On Linux and macOS, it runs a credential harvester that encrypts stolen data with AES-256-CBC + RSA-4096 before exfiltrating it. On Windows, it drops a persistent executable disguised as msbuild.exe into the Startup folder, with a 12-hour re-drop cooldown enforced by a hidden .lock file.

The steganography serves two purposes. First, it bypasses static analysis tools that don't inspect audio files. Second, the payload is unreadable without the XOR key, which is embedded in the data itself rather than hardcoded anywhere in the package source.

The First Blockchain C2 in the Wild

TeamPCP's command-and-control infrastructure is also unusual. According to SANS, the CanisterWorm component — the self-propagating npm worm — uses an Internet Computer Protocol (ICP) canister as a dead-drop C2. This is the first documented abuse of decentralized blockchain infrastructure for supply chain C2.

Traditional C2 takedown relies on domain seizure or hosting provider cooperation. A blockchain canister has no single point of takedown. The domain can't be seized because there is no domain. The hosting can't be pulled because the canister is replicated across a decentralized network.

The Extortion Pivot

As of March 25, SANS reports that TeamPCP has pivoted from credential theft to active extortion. The group is reportedly working through approximately 300 GB of compressed stolen credentials and collaborating with LAPSUS$ to target multi-billion-dollar companies.

Mandiant estimates that over 1,000 enterprise SaaS environments have been impacted, with the number expected to grow to 5,000–10,000 as the full downstream impact of the credential cascade becomes clearer.

The campaign is not over. Each compromised package that harvested credentials created a pool of tokens that can be used to compromise the next target. The attack surface grows with every installation.

Why This Attack Worked

Three structural factors made this cascade possible.

Unpinned dependencies in CI/CD. LiteLLM's CI pipeline ran Trivy without pinning to a specific version or verifying checksums. When TeamPCP replaced the tag contents, LiteLLM's build pulled the malicious version automatically. Every pipeline that uses @v1 or @latest tags for GitHub Actions has this exact exposure.

CI/CD environments are credential-rich. A typical CI/CD environment has access to package registry tokens, cloud provider credentials, database passwords, API keys, and deployment secrets. The credential harvester didn't need to know what it was looking for — it swept everything and let the attacker sort it out later.

No ecosystem-level circuit breaker. Once TeamPCP had valid PyPI tokens, they could publish new versions of any package those tokens had access to. PyPI has no mechanism to detect that a previously-legitimate maintainer's credentials are being used by an attacker. Neither does npm, Docker Hub, or the GitHub Actions marketplace. Each ecosystem trusts its own authentication, and none of them talk to each other.

The result is a supply chain attack that propagates across ecosystem boundaries. Compromised GitHub Actions yield PyPI tokens. Compromised PyPI packages yield npm tokens. Compromised npm packages yield more GitHub tokens. The chain feeds itself.

What To Do

If you run Trivy in CI/CD:

  • Check whether your pipelines used unpinned trivy-action tags between March 19 and March 22
  • If they did, treat the CI environment as fully compromised and rotate all secrets it had access to
  • Pin GitHub Actions to full commit SHAs, not version tags. Tags can be force-pushed. Commit hashes cannot
  • Microsoft's guidance has detection queries for Azure, Defender, and Sentinel

If you installed LiteLLM from PyPI:

  • Check whether v1.82.7 or v1.82.8 was installed during the March 24 window
  • If either version was installed on any system: full credential rotation — cloud providers, API keys, database passwords, SSH keys, Kubernetes tokens
  • Audit for outbound connections to models.litellm[.]cloud

If you use the Telnyx Python SDK:

  • Versions 4.87.1 and 4.87.2 are malicious. Downgrade to 4.87.0 immediately
  • The package is currently quarantined on PyPI
  • If either version was installed: rotate all credentials in the environment, check for msbuild.exe in Windows Startup folders, check for unexpected outbound connections to 83[.]142[.]209[.]203:8080

For AI infrastructure generally:

  • Pin every dependency in CI/CD to immutable references (commit SHAs for Actions, hashes for packages)
  • Audit what credentials exist in your CI/CD environments. If your build runner has access to your PyPI token, your cloud provider keys, and your database password, a single compromised dependency can take all of them
  • LLM proxies, agent orchestrators, and AI workflow tools sit in the execution path of your AI stack. They have elevated access because they need it. That makes them high-value targets. Treat them accordingly
  • Monitor for unexpected outbound connections from CI/CD and development environments. The earliest signal of a credential harvester is a network call to a domain you don't recognise

The Trivy → Checkmarx → LiteLLM → Telnyx chain is the clearest example yet of a self-propagating supply chain attack. Each compromise created the conditions for the next one. The attack didn't need to be technically brilliant at any single step. It needed to be persistent, and it needed the ecosystem to not notice fast enough.

The campaign has been running for ten days. Five ecosystems are compromised. An estimated 300 GB of stolen credentials are being actively used. And the next package in the chain could be publishing right now.

Sources: Datadog Security Labs: TeamPCP campaign analysis · SANS: When the Security Scanner Became the Weapon · Arctic Wolf: TeamPCP campaign advisory · Endor Labs: Telnyx compromise attribution · Microsoft: Trivy compromise detection guidance · StepSecurity: WAV steganography analysis · SafeDep: Telnyx PyPI compromise · LiteLLM: Security incident report · The Hacker News: TeamPCP Telnyx · Sysdig: Checkmarx compromise

Originally published on mistaike.ai

Top comments (0)