Jul 3, 2026

TeamPCP Supply Chain Attacks: SafeBreach Coverage for FBI FLASH Alert FLASH-20260702-01

Learn how SafeBreach Labs maps FBI FLASH-20260702-01 to simulations that test your exposure to TeamPCP’s stolen credentials and compromised CI/CD attacks.

On July 2, 2026, the Federal Bureau of Investigation (FBI), in coordination with DHS/CISA, released FLASH Alert FLASH-20260702-01: Cyber Criminal Group TeamPCP, highlighting the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with the cyber criminal group TeamPCP. According to the FBI, TeamPCP actors have conducted large-scale software supply chain compromises by targeting widely used developer and security tools, gaining access to victim environments and extracting sensitive data—including cloud access tokens, SSH keys, and Kubernetes secrets. The alert also notes that TeamPCP has engaged in extortion and collaboration with other threat actor groups, including publishing victim names on a public leak site and threatening to disclose stolen data.

For more information, read the full FBI advisory here.

Understanding the TeamPCP Threat

TeamPCP is a financially motivated cyber criminal group that, in 2026, compromised trusted software distribution channels by injecting malicious code into legitimate packages, modifying software components, and development dependencies. This allowed the actors to push trojanized updates that appeared normal but secretly installed credential-stealing malware and persistent backdoors, giving them long-term access to developer environments and downstream systems.

The group modified tools including—but not limited to—Trivy, KICS, LiteLLM, and the Telnyx Python SDK. These tools are commonly integrated into enterprise continuous integration / continuous delivery (CI/CD) pipelines, cloud infrastructure, and security workflows, making them high-value entry points for compromise at scale. Because the targeted tools are the very software organizations use to secure and build their environments, the campaign has been characterized by researchers as “weaponizing the protectors.”

TeamPCP’s activity is notable for its persistence: the FBI advises that organizations impacted by this campaign should treat exfiltrated data and credentials as a persistent risk, as affiliated actors are likely to weaponize stolen material long after the initial compromise.

Malware associated with TeamPCP

The advisory names four distinct malware families used across the campaign:

  • CanisterWorm — designed to harvest sensitive information, including cloud access tokens, credentials, API keys, and other authentication material associated with Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure.
  • SANDCLOCK — a credential-stealing tool that extracts AWS credentials, Kubernetes ServiceAccount tokens, local environment variables, and cryptocurrency wallet data.
  • Mini Shai-Hulud — a self-replicating, cross-ecosystem (npm/PyPI) software supply chain worm.
  • Miasma — a variant of Mini Shai-Hulud that self-propagates across open-source registries such as npm and PyPI, harvesting credentials and poisoning configuration files.

Key Tactics, Techniques, and Procedures (TTPs)

The FBI FLASH describes a multi-stage supply chain intrusion chain. The techniques below are organized by ATT&CK tactic; specific MITRE technique IDs and the corresponding SafeBreach simulation mappings will be finalized once Research completes its analysis.

Initial Access

TeamPCP gained entry via software supply chain compromise (T1195.002 – Compromise Software Supply Chain), injecting malicious code into legitimate packages and trojanizing updates to widely used developer and security tools (Trivy, KICS, LiteLLM, Telnyx Python SDK).

Execution & Persistence

Trojanized package updates installed credential-stealing malware and persistent backdoors within developer environments and downstream CI/CD systems, providing long-term access.

Credential Access

CanisterWorm and SANDCLOCK harvested cloud access tokens, API keys, AWS credentials, Kubernetes ServiceAccount tokens, local environment variables, and cryptocurrency wallet data across AWS, GCP, and Azure.

Propagation / Lateral Movement

Mini Shai-Hulud and its Miasma variant self-replicate across npm and PyPI, poisoning configuration files and propagating through publishing tokens and cross-repository trust—enabling movement from one compromised package or account to many.

Collection & Exfiltration

The threat actors utilized a technique where automated worms used stolen GitHub Personal Access Tokens to create unauthorized Exfil-Repos directly on the victim’s GitHub organization infrastructure. These malicious repositories were named (tpcp-docs and docs-tpcp) and were used to store and exfiltrate harvested secrets under the guise of legitimate development traffic.

Impact

TeamPCP pursued extortion, publishing victim names on a public leak site and threatening disclosure of stolen data, and collaborated with actors from other threat groups.

Referenced vulnerabilities include CVE-2026-33634, CVE-2026-48027, CVE-2026-45321, and CVE-2025-55182.

Indicators of Compromise (IOCs)

The FBI FLASH provides extensive indicators of compromise, including malicious IP addresses, domains (such as spoofed variants of legitimate security-vendor domains), a large set of file hashes, and attacker-created repository names (tpcp-docs and docs-tpcp). Because indicators of a nondeterministic or ephemeral nature may not by themselves confirm a compromise, organizations should evaluate each indicator in the context of their complete security picture. For the full indicator set, refer to the FBI advisory.

SafeBreach Coverage and Playbook Attack Updates

Existing Behavioral Coverage

SafeBreach customers already have behavioral coverage for a core part of this campaign- cloud credential and access-token harvesting across AWS, GCP, and Azure, including Instance Metadata Service (IMDS) abuse and cloud secret/token theft.

New IOC-Based / New Simulation Coverage

SafeBreach Labs is adding new simulations mapped to the TeamPCP TTPs and IOCs highlighted in the FLASH.

What You Should Do Now

Existing SafeBreach customers can validate their defenses against TeamPCP today using any of the following methods:

Method 1 — SafeBreach Scenarios: Navigate to the SafeBreach Scenarios page and search for or select FLASH-20260702-01 (or “TeamPCP”).

FLASH-2026070-3

Method 2 — Attack Playbook: Open the Attack Playbook and filter by FLASH-20260702-01 or “TeamPCP” to view all associated attacks.

FLASH-2026070-2

Method 3 — Known Attack Series Report: Select the FLASH-20260702-01 report from the Known Attack Series report and click Run Simulations.

FLASH-2026070-1

Additional Advisory Steps

Run the SafeBreach Platform Simulations

  1. Sign in to the SafeBreach platform.
  2. Locate the FLASH-20260702-01 / TeamPCP attacks using any of the three methods above.
  3. Run the simulations against your environment.
  4. Review results to identify exposures and prioritize remediation.

Mitigation Strategies (from the FBI advisory)

  1. Pin all GitHub Actions workflows to verified commit SHA hashes rather than floating version tags or branch references.
  2. Rotate all CI/CD secrets, publishing tokens, and cloud credentials that were accessible during identified exposure windows.
  3. Require phishing-resistant multi-factor authentication (MFA) for all accounts with code repository or package registry publishing access.
  4. Enforce least-privilege permissions and token scoping on all CI/CD service accounts and registry publishing tokens to prevent cross-repository propagation.
  5. Enforce a minimum package age threshold (e.g., 7 days) to reduce exposure to newly published malicious versions before community detection.
  6. Maintain offline, immutable backups of critical repositories and package release artifacts.

Proactive Threat Monitoring

  • Search GitHub organization repositories for tpcp-docs or docs-tpcp named repositories, which are created by the worm using stolen credentials.
  • Implement runtime behavioral monitoring (e.g., Harden-Runner or equivalent) to detect unexpected outbound connections from CI/CD runner processes.
  • Audit npm package maintainer accounts for stale or expired recovery email domains, which TeamPCP exploits to take over publishing credentials.
  • Scan repositories and logs for exposed secrets and remove any found.

Stay Ahead with SafeBreach

TeamPCP’s playbook focuses on stealing credentials and secrets before propagating across cloud environments, package registries, and downstream systems, making detection at the point of initial compromise only half the picture.

With SafeBreach Propagate, you can go a step further—validating the attack paths an adversary could take after an initial foothold, including lateral movement and privilege escalation using harvested credentials and tokens, so you can find and close the paths that matter most before an attacker does.

For a complete view of your security gaps against TeamPCP, sign in to SafeBreach and run the latest simulations mapped to FLASH-20260702-01.

Get the latest
research and news