MalwareRansomwareUsed by 1 actorExploits 1 CVE

SANDCLOCK

SANDCLOCK is a credential stealer payload associated with the financially motivated threat group TeamPCP, formally tracked by Google Threat Intelligence Group as UNC6780. According to the provided reporting, it was deployed in software supply-chain compromises involving poisoned GitHub Actions and trojanized PyPI packages tied to projects including Trivy, Checkmarx, LiteLLM, and Telnyx. Its primary documented function is harvesting secrets from developer and CI/CD build environments, specifically including AWS keys and GitHub tokens. The stolen credentials were then monetized through follow-on extortion activity and partnerships with ransomware affiliates. The content consistently describes SANDCLOCK as TeamPCP/UNC6780’s credential-stealer payload used to facilitate downstream compromise of SaaS and development environments. High-confidence indicators in the content are limited to its targeting of build environments and theft of AWS keys and GitHub tokens; no specific file hashes, domains, or host-based artifacts for SANDCLOCK itself are provided.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES

CVE-2026-33634Trivy supply chain compromise via malicious release and retagged GitHub ActionsExploited in the wild

BleepingComputer reported that threat actors leveraged credentials stolen through the Trivy supply chain compromise (CVE-2026-33634) to breach Cisco's internal development environment... The CISA KEV remediation deadline for CVE-2026-33634 is today, April 8, 2026... Beyond patching Trivy to v0.69.2+, trivy-action to v0.35.0, or setup-trivy to v0.2.6, organizations must also complete credential rotation.

via handlers diary fullisc.sans.edu

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

TeamPCP

The payload was a credential stealer called SANDCLOCK that extracted AWS keys and GitHub tokens from build environments, and those credentials were then handed to ransomware affiliates for monetization.

via malware newsmalware.news

MITRE ATT&CK

Techniques & procedures

17 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

4 techniques

T1078Valid AccountsEvidence2

threat actors leveraged credentials stolen through the Trivy supply chain compromise... to breach Cisco's internal development environment.

T1133External Remote ServicesEvidence1

The attackers gained access to build systems and developer workstations through a malicious GitHub Action plugin.

T1195Supply Chain CompromiseEvidence12

The actor compromised popular GitHub repositories including the Trivy vulnerability scanner, Checkmarx, LiteLLM, and BerriAI through malicious pull requests and trojanized PyPI packages. The payload was a credential stealer called SANDCLOCK

T1195.001Compromise Software Dependencies and Development ToolsEvidence3

through malicious pull requests and trojanized PyPI packages

Execution

1 technique

T1059.006PythonEvidence1

Three consecutive xinference PyPI releases... were published from a bot account with a malicious base64-encoded payload injected directly into init .py, executing automatically on package import.

Persistence

2 techniques

T1078Valid AccountsEvidence2

threat actors leveraged credentials stolen through the Trivy supply chain compromise... to breach Cisco's internal development environment.

T1133External Remote ServicesEvidence1

The attackers gained access to build systems and developer workstations through a malicious GitHub Action plugin.

Privilege Escalation

1 technique

T1078Valid AccountsEvidence2

threat actors leveraged credentials stolen through the Trivy supply chain compromise... to breach Cisco's internal development environment.

Stealth

1 technique

T1078Valid AccountsEvidence2

threat actors leveraged credentials stolen through the Trivy supply chain compromise... to breach Cisco's internal development environment.

Credential Access

6 techniques

T1003OS Credential DumpingEvidence1

GTIG also named TeamPCP's credential stealer payload as SANDCLOCK.

T1056Input CaptureEvidence1

GTIG also named TeamPCP's credential stealer payload as SANDCLOCK.

T1528Steal Application Access TokenEvidence5

The payload was a credential stealer called SANDCLOCK that extracted AWS keys and GitHub tokens from build environments

T1552.005Cloud Instance Metadata APIEvidence1

The payload swept AWS credentials, Google Cloud configurations, Kubernetes tokens, environment variables, SSH keys, API keys, and database credentials, exfiltrating to hxxps://whereisitat[.]lucyatemysuperbox[.]space/.

T1555Credentials from Password StoresEvidence3

The compromise of LiteLLM... is particularly concerning, as it exposes AI API secrets that threat actors can exploit to pivot into enterprise networks or conduct AI-assisted reconnaissance at scale.

T1649Steal or Forge Authentication CertificatesEvidence4

The group embedded the SANDCLOCK credential stealer to harvest AWS keys and GitHub tokens directly from CI/CD build environments...

Collection

3 techniques

T1005Data from Local SystemEvidence1

The payload swept AWS credentials, Google Cloud configurations, Kubernetes tokens, environment variables, SSH keys, API keys, and database credentials... The malicious payload ... exfiltrated GitHub tokens, npm tokens, SSH material, AWS/GCP/Azure secrets, GitHub Actions secrets, and AI tooling configuration files.

T1056Input CaptureEvidence1

GTIG also named TeamPCP's credential stealer payload as SANDCLOCK.

T1119Automated CollectionEvidence2

The worm executes via npm postinstall hook, harvests roughly 40 credential categories via regex sweep... The payload swept AWS credentials, Google Cloud configurations, Kubernetes tokens, environment variables, SSH keys, API keys, and database credentials.

Exfiltration

3 techniques

T1041Exfiltration Over C2 ChannelEvidence1

CERT-EU revealed that the threat actors used the stolen AWS secret to exfiltrate data from the Commission's cloud environment. This included data relating to websites hosted for up to 71 clients of the Europa web hosting service and outbound email communications.

T1537Transfer Data to Cloud AccountEvidence1

Over 300 private GitHub repositories containing Cisco source code were cloned... AWS keys were stolen and used for unauthorized activities across Cisco's cloud accounts

T1567Exfiltration Over Web ServiceEvidence3

The malicious payload contained the string "Shai-Hulud: The Third Coming" ... and exfiltrated GitHub tokens, npm tokens, SSH material, AWS/GCP/Azure secrets, GitHub Actions secrets, and AI tooling configuration files to public GitHub repositories created under victim accounts.

Impact

1 technique

T1565.001Stored Data ManipulationEvidence1

The attackers gained access to build systems and developer workstations through a malicious GitHub Action plugin.

INDICATORS OF COMPROMISE

IOCs tracked for this family

4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

2 tracked

IPs, domains, and DNS infrastructure linked to this family.

Other

2 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app1 month ago

domain●●●●●●●●●●●●View more in app2 months ago

uri●●●●●●●●●●●●View more in app2 months ago

ACTIVITY FEED

Recent activity

14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

14 SOURCESView more in app

malware newsNews

May 29, 2026

The AI-Embedded SOC: An Operating Model for the Asymmetry Era - Malware News - Malware Analysis, News and Indicators

A credential stealer used in software supply chain compromises to extract AWS keys and GitHub tokens from build environments.

cyber security newsNews

May 11, 2026

Google Warns of Hackers Using AI to Create Working Zero-Day Exploit

Credential stealer used to harvest AWS keys and GitHub tokens from CI/CD build environments. The stolen credentials were then monetized through ransomware and extortion partnerships.

handlers diary fullNews

Apr 27, 2026

TeamPCP Supply Chain Campaign: Update 008 - 26-Day Pause Ends with Three Concurrent Compromises (Checkmarx KICS, Bitwarden CLI Cascade, xinference PyPI), CanisterSprawl npm Worm Identified, and Tier 1 Coverage Returns

A credential stealer associated with UNC6780/TeamPCP activity.

handlers diary fullNews

Apr 27, 2026

A credential stealer associated with UNC6780/TeamPCP activity.

+8 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching4

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping17

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.