Jul 6, 2026
Podcast: Poisoned Pipelines: TeamPCP and the FBI Flash on Weaponized Dev Tools
Tova Dvorin (00:01.413) Welcome back to the Cyber Resilience Brief, a Safe Breach podcast. Today we’re discussing Team PCP. The FBI put out a flash today, the second of July. Sorry, the FBI put out a flash this weekend on the second of July, coordinated with CISA, naming a criminal group that’s been trojanizing the security tools defenders actually rely on. Adrian, that’s the part that stops me. They went after the protectors. Adrian (00:24.078) And Tova, that’s exactly why this one’s worth a full episode. This isn’t nation-state espionage. It’s financially motivated, extortion, a leak site, a whole criminal playbook, but the trade craft is APT grade. They’ve compromised Trivi, KICS, Lytel, LLM, and the Telniks, Python SDK. If you’ve never heard of those, that’s fine, but your dev team is very familiar with them. Tova Dvorin (00:50.223) Okay, so walk me through who benefits from thinking that that’s a developer problem, not my problem. Adrian (00:55.34) Well, nobody benefits, frankly. Trivian KICS are vulnerability and infrastructure as code scanners, security tools. Light LLM sits in AI pipelines. If your CI-CD pipeline touches any of those or anything that depends on them, you’re in the scope. Tova Dvorin (01:13.903) And the FBI’s language here is unusually direct. They’re calling this large scale. In that context, let’s get into who Team PCP actually is. Adrian (01:23.054) So let’s start with the naming and this is refreshingly simple compared to some of our nation state episodes. The FBI just calls them Team PCP, one name, one source, no alias soup to untangle. Tova Dvorin (01:38.841) But the method doesn’t match wait wait. No typhoon, no panda, no bear. Yeah. Here, no typhoon, no panda, no bear. Adrian (01:41.422) Well, what now? You just hit. Adrian (01:48.224) None of that, however, the attribution confidence is high in the sense that matters. This is a direct FBI statement coordinated with CSER, not a single vendor’s hypothesis. What’s interesting is the motive split. Nation state actors want persistence and quiet. Team PCP wants money. They’re running a leak site, threatening to publish stolen data. Classic double extortion. and eagle-eyed SafeBreach customers will notice we’ve got two team PCP scenarios, once from a month ago. I can’t go into too much detail about that but we were a month ahead of the FBI. Tova Dvorin (02:26.459) That’s great, Adrian. No, I’m not gonna use that as a transition. But the method doesn’t match a smash and grab extortion crew. Adrian (02:33.364) Exactly right. To get there they’re using supply chain tradecraft that wouldn’t look out of place in a state sponsored campaign. The Flash even notes they’ve collaborated with actors from other threat groups which tells you this isn’t a lone crew. It’s closer to an ecosystem player trading access and tooling with other criminal operations. Tova Dvorin (02:53.905) So we have a criminal group that’s operating with an APT’s patience. Adrian (02:58.37) That’s the tension worth sitting with. Extortion crews are usually smash and grab, ransomware and crypt demand move on. Team PCP took the slow road, getting to the software supply chain, sit inside CI-CD pipelines, harvest credentials at scale, then monetize later through extortion. That’s a more patient operating model than we usually see from a purely criminal outfit. Tova Dvorin (03:27.067) This is off script, but I have to ask this. Could it be that Team PCP is actively learning from nation state threat actors and its methodology? Do we know? Adrian (03:35.086) So that’s the missing part of the attribution cycle at the moment Tova, and partly how it came out to our radar a month ago. We’re not certain yet whether there’s actually a bit like scattered spider, whether there’s actually a nation state sitting behind them pulling the strings. And that may turn out to be the case with deeper analysis over the coming months. Tova Dvorin (03:57.969) Okay, so back to brass tacks for the moment while we figure that out. Who’s actually in the blast radius here? Is this sector specific? Adrian (04:04.398) So not sector specific, it’s layer specific. They’re not targeting banks or hospitals directly. What they’re targeting is the CICD pipeline itself, which means anyone using these tools inherits the exposure regardless of industry. That’s actually scarier for a defender than a sector specific campaign because there’s no, we’re not the target, comfort available. If you’re a bank, a hospital or a mid-sized software as a service company running any of these tools, you’re equally in scope. Tova Dvorin (04:33.688) Yikes. Alright, so let’s get into how they actually did it. Adrian (04:37.472) So this starts as a classic supply chain compromise. MITRE ATT &CK calls it, rolls off the tongue, T1195.002 compromising the software supply chain. Team PCP injected malicious code into legitimate packages. Trivy, KICS, Lite LLM, the Telnik’s Python software developers kit. These got pulled automatically into enterprise CICD pipelines. So a trojanized update looks completely normal. until it isn’t. Tova Dvorin (05:07.992) Normal is the whole point. Nobody is suspicious of their vulnerability scanner updating. Adrian (05:12.522) Exactly. Once the update lands, installs credential stealing malware and a persistent backdoor. The FBI flash doesn’t name the specific backdoor mechanism, so I won’t speculate on the technique. There’s a gap in the public reporting, not something I’m going to fill in for anybody at the moment, but that may come in the future. What we do know publicly is the outcome, persistent access to developer environments and whatever those environments touch downstream. Tova Dvorin (05:41.072) Fair. Now what about the malware itself? What are these tools actually doing once they’re in the system? Adrian (05:46.831) So we have two named credential stealers, Tova. Canister Worm goes after cloud access tokens, credentials and API keys specifically built for AWS, GCP and Azure. And again, back to the mitre names, that’s T1552.005 in attack terms, unsecured credentials via cloud metadata. Then there’s SandClock, which is more of a Swiss Army knife. AWS credentials, Kubernetes, service account tokens, local environment variables, and cryptocurrency wallet data. Tova Dvorin (06:20.144) Kubernetes service account tokens for the listener who isn’t running a cluster, why does that one matter specifically here? Adrian (06:26.134) So because those tokens are usually mounted as files inside every pod in a cluster, it’s how workloads authenticate to the Kubernetes API. If SandClock gets one of those, it’s not just stealing a credential, it’s potentially getting a foothold to move around inside your entire container orchestration layer. That’s T1552.001 credentials in files, but the blast radius is a lot, lot bigger than just a stolen password. Tova Dvorin (06:54.446) And cryptocurrency wallet targeting. Now, this is something I know about because I used to work in cryptographic key security for wallets. But that feels almost old fashioned. I mean, it’s developed but not that much over the last ten years. When you compare that to what they’re doing with cloud tokens, Kubernetes secrets, why why is Team C P C P dealing with this here besides for the fact that it’s just money? Adrian (07:13.166) So, very important question Tove, very perceptive of you. It’s the tell that this is a criminal operation at the front end, not an espionage one. A nation state actor generally doesn’t care about your crypto wallet. Team PCP is monetizing everything it touches. Cloud credentials for extortion leverage, wallet data for direct theft. It’s opportunistic in a way that pure APT trade craft usually isn’t. However, remember our previous episodes from China, APT 41. is both nation state and out of hours, criminal. So just because the front end is criminal doesn’t mean there isn’t a nation state connected to this. Tova Dvorin (07:52.273) I was about to say this also is reminding me of the episodes we did on North Korea, which have not been released yet, where they did similar things with cryptocurrency as well. But let’s remove that possibility from this for a second. So far this does sound like a serious but fairly conventional credential theft campaign. What makes it a full episode instead of a paragraph that we would give in a roundup? Adrian (08:10.478) There’s two things Tova. First, there’s a worm. Mini-Shyhalud is self-replicating across NPM and PyPy simultaneously. It’s not a one-time poison package. It propagates on its own across two of the biggest open source registries in existence. There’s a variant called miasma that does the same self-propagation but also poisons configuration files as it spreads, which extends the persistence. Tova Dvorin (08:38.746) That’s a worm in open source package registries in twenty twenty six. Adrian (08:43.138) We’ve been here before with Event Stream and UA parser JavaScript, but the scale here is different. Cross ecosystem, self replicating, credential harvesting, all in one payload. The second thing that makes this a full episode, Tova, is how they got in the door in the first place. And this is the part I actually find very clever in a very unwelcome sense. Tova Dvorin (09:05.156) Go on. Adrian (09:06.52) Team PCP took over legitimate NPM maintainer accounts by exploiting stale or expired recovery email domains. If a maintainer’s recovery email was tied to a domain that since lapsed, an attacker can re-register that domain and reset the account’s password straight through the normal recovery flow. No exploit, no zero day, just abandoned infrastructure and a patient attacker. That’s technique 1078, valid accounts. but it’s a count takeover through infrastructure decay rather than credential theft. Tova Dvorin (09:42.416) Now, Adrian, that’s a genuinely uncomfortable finding because it means the maintainer did nothing wrong in the moment, the domain just expired years later. Adrian (09:49.556) That’s exactly the uncomfortable part, Tova, and once they’ve, you know, they’re publishing as a trusted maintainer, everything downstream trusts the update by default. Tova Dvorin (10:00.387) So how do you actually spot this campaign inside your own environment? Is there anything you can point to that’s concrete? Adrian (10:06.461) Yes, fortunately, and it’s one of the more useful indicators in the whole flash. Team PCP creates GitHub repositories named TPCP-DOCS and DOCS-TPCP using stolen credentials. These get used to stage exfiltrated data. That’s technique 1567.001 exfiltration to a code repository. And it’s a specific searchable signature. If either of those repo names shows up in your GitHub organization, that’s not ambiguous. So search for it now. Tova Dvorin (10:41.264) Follow us for more cyber defender recipes. That’s the type of specific actionable detail that this show exists for. Adrian (10:47.457) The infrastructure has a tell too, Tova. Team PCP’s command and control domains are typo-squatting security vendors. Checkmarks.zone. Scan.aquasecurity.org. With the deliberate misspelling. That’s T1036005 masquerading paired with T1071001 for the actual command and control traffic over standard web protocols. The idea is security team glancing at outbound traffic, see something that looks vaguely like a familiar vendor and doesn’t look twice. Tova Dvorin (11:21.136) So they’re impersonating the industry that’s supposed to be catching them. Adrian (11:24.555) which circles back to the episode’s whole premise, weaponizing the protectors, both the tools and now the brand names. Tova Dvorin (11:31.568) And Adrian, remind us why we are releasing this as a very special episode off brand today. At today on a Sunday, not on a Wednesday. What makes this urgent? Adrian (11:40.247) So because the flash is literally news right now, issued on the 2nd of July, flash 2026 070201 coordinated with CESA. The coordination matters. It means both agencies are aligned on the severity, not just one shop putting out a bulletin. Tova Dvorin (11:58.661) Now I noticed that the flash also names four CVEs. What do those tell us? Adrian (12:03.117) So at the moment, very honestly Tova, not much and I’d rather say that plainly than guess, the flash list CVE 202633634, 45321, 48027 and 2025 55182 without describing what any of them actually are. That’s homework for the sock teams who are listening. Go pull those records yourself before you brief your leadership on them. I’m not going to speculate on technique from a bare CVE number. Tova Dvorin (12:33.518) Right, that’s fair. Not every gap needs to be filled with a guess. Adrian (12:37.133) It’s just also professionally responsible, so if the flash is clear about what it knows and doesn’t, we should be too. Tova Dvorin (12:45.028) Yeah, right. Adrian, does this connect anything I’m sorry does this connect to anything that we flagged before on this show? Adrian (12:52.533) It sits inside a pattern we’ve been watching all year. Attackers treating the security supply chain itself as the softest target because defenders trust their own tooling by default. This is the sharpest example of that pattern we’ve seen land in an FBI flash so far. Tova Dvorin (13:09.754) Well, we’ve already given SOC teams listening homework. What else should people listening do or actually sorry, we’ve already given sock teams their homework. What else should our listeners actually do about this right now? Adrian (13:21.239) So five concrete things all specific to this campaign and this is not generic. First, pin every GitHub actions workflow to a verified commit shahash. Not a version tag, not a branch reference, those float and Team PCP’s whole entry point depends upon that floating trust. Tova Dvorin (13:40.494) Right, and that’s a real engineering change, not just a policy memo. Adrian (13:43.946) It is practical security and it’s worth the friction. Second, go search your own GitHub organisation right now for repositories named TPCP-DOCS or DOCS-TPCP. That takes five minutes with a binary answer. Tova Dvorin (13:59.865) And what about the account takeover angle? Adrian (14:02.347) So third, audit NPM and package registry maintainer accounts for stale or expired recovery email domains and require phishing resistant multi-factor authentication on anyone with publishing access. That closes the exact door TPCP walkthrough. Tova Dvorin (14:19.864) Now if T C P C P already walked through that door, what do we do about the credential exposure? How do we prevent that element? Adrian (14:24.001) So exactly Tova fourth, rotate every CICD secret publishing token and cloud credential that was accessible during your exposure window. Don’t assume a credential is fine because you haven’t seen it abused yet. Rotate everything. Sand clock and canister worm are built to harvest quietly. Tova Dvorin (14:47.92) So that’s four. What’s the fifth? Adrian (14:50.495) Enforce a minimum package age threshold, something like seven days, before any newly published package version gets pulled into your environment automatically. Most malicious versions get caught by the community within days. That window is exactly what Team PCP is racing against, and it costs you almost nothing in development velocity. Tova Dvorin (15:12.494) Now is there a way to actually know whether any of this would work against your own pipeline rather than just having the policy on paper? Adrian (15:19.243) So that’s the honest gap that most organizations have. You can pin your actions to shars, rotate your secrets, but until you’ve actually exercised the chain, simulate the poison dependency pulling credentials off of a CI-CD runner and watch whether your detection catches it, you’re guessing. Tova Dvorin (15:38.586) Right, don’t trust, verify. Your test should t should not be testing whether the control exists. It’s does it actually fire? Adrian (15:45.548) Right, the defenders I’ve worked with who take this seriously are running that exact validation against their own pipelines, not just checking that the policy document exists. It’s the same principle whether you’re using safe breach or anything else. Untested detection is a hope, not a control. Tova Dvorin (16:03.96) That’s real hunting package. You know, what’s the single check you’d like to tell a sock lead to run before they even finish listening to this episode? Adrian (16:11.277) Substantial for a single flash, 6 IP addresses, 13 typo squat and C2 domains, 26 file hashes plus the two exfil repo names. That’s a real hunting package. And the fastest win is the repo search. Query a GitHub organization again for tpcp-docs or docs-tpcp right now. It’s a binary answer in five minutes and it’s the one indicator that’s uniquely team PCP at the moment rather than shared with other campaigns. Tova Dvorin (16:46.192) Well Adrian, as we touched upon this is developing story, so what are we watching for on the horizon? Adrian (16:51.893) So, thank you Tova. There is one more thing before we go. Watch the worm. Mini Shai-Hulud and those of you who are deeper into threat will know that the Dune base, that is a Dune science fiction novel reference, that has been tied in the past to Russian government intelligence. Mini Shai-Hulud and miasma are currently confined to NPM and PiPi. The moment we see this self-propagation jump to a third ecosystem, RubyGems, crates.io, Maven, that’s the signal that’s stopped being a two-register problem and become a genuine cross-language supply chain worm. Myself and the team are watching for that very closely and if it happens there’s a follow-up episode will be coming. Tova Dvorin (17:37.104) Of course. Where there’s news briefs from sorry, of course, where there’s CISA alerts and where there’s updates will be there. Adrian, thank you so much for walking us through this one, especially on the weekend. Adrian (17:47.189) Anytime, always glad to help out, Tova. Tova Dvorin (17:50.298) Thank you. And to our listeners reminder, this is Team PCP FBI Flash 2026 070201, weaponizing the very tools meant to protect us. Now, if you take one thing from this episode, go check your GitHub now for those repo names that we’ve mentioned. And we will have the link to the CISA alert and to our blog on this in the show notes. But in the meantime, listeners, stay safe. Stay safe with Safe Breach. Adrian (18:14.871) Nice and punchy.
In This Episode
A criminal crew with APT-grade patience is trojanizing the exact tools defenders rely on every day.
In this episode we cover:
- FBI FLASH-20260702-01 (coordinated with CISA) exposes TeamPCP, a group compromising Trivy, KICS, LiteLLM, and the Telnyx SDK
- Two new credential stealers in the wild: CanisterWorm and SANDCLOCK
- “Mini Shai-Hulud”—a self-replicating worm spreading across npm and PyPI
- npm account takeovers achieved through expired package recovery domains
- Five concrete defenses to act on now, starting with a GitHub org search for “tpcp-docs”
If your org relies on open-source dev tooling in CI/CD, this one’s a must-listen.


