| SYMBOL | COMMON_NAME | aka. SYNONYMS |
TeamPCP is a threat actor that has executed a coordinated series of supply chain attacks, compromising widely-used open source tools such as Trivy, KICS, and LiteLLM to deploy credential-stealing malware. They employed techniques like credential harvesting, lateral movement within Kubernetes environments, and audio steganography to evade detection. The group has demonstrated the ability to leverage stolen credentials to propagate attacks across multiple ecosystems, including npm and PyPI, using a self-propagating worm known as CanisterWorm. Their operations have included the use of AES-256 encryption and RSA-4096 for exfiltration of sensitive data.
There are currently no families associated with this actor.
| 2026-04-02
⋅
tracebit
⋅
Detecting CI/CD Supply Chain Attacks with Canary Credentials TeamPCP |
| 2026-03-30
⋅
Trend Micro
⋅
TeamPCP’s Telnyx Attack Marks a Shift in Tactics Beyond LiteLLM TeamPCP |
| 2026-03-26
⋅
Trend Micro
⋅
Your AI Gateway Was a Backdoor: Inside the LiteLLM Supply Chain Compromise TeamPCP |