TeamPCP Is Systematically Targeting Security Tools Across the OSS Ecosystem

TeamPCP is escalating a coordinated campaign targeting security tools and open source developer infrastructure, and is now openly taking credit for multiple follow-on attacks across ecosystems.

In recent Telegram posts, the group has claimed responsibility for expanding beyond the initial Trivy compromise, pointing to attacks on GitHub Actions, OpenVSX extensions, and now PyPI. The latest development includes attacks on Checkmarx' KICS scanner and OpenVSX extensions and a trojanized release of LiteLLM on PyPI, indicating the campaign is still active and continuing to spread.

This is a sustained operation targeting high-leverage points in the software supply chain. TeamPCP’s own messaging reinforces this intent. In one post, they mock security vendors directly:

These companies were built to protect your supply chains yet they can't even protect their own, the state of modern security research is a joke, as a result we're gonna be around for a long time stealing terrabytes of trade secrets with our new partners.

They're signaling that they plan to continue exfiltrating sensitive data at scale. Another post hints at ongoing activity on PyPI, suggesting additional compromises may still be unfolding. There is growing speculation about a possible connection between TeamPCP and LAPSUS$, based on the known LAPSUS$ telegram account's recent posts, but this has not been confirmed.

Emerging Claims of Mass Credential Exfiltration#

A post from International Cyber Digest claims direct communication with the actor behind the Trivy and LiteLLM compromises, describing ongoing extortion efforts targeting large enterprises.

The actor claims to have exfiltrated ~300 GB of compressed credentials and attributes the LiteLLM compromise to roughly 500,000 stolen credentials. They also signal continued activity and coordination with other groups.

VX-Underground reports it has corroborated these claims with multiple sources. While details remain limited, the claims are consistent with the broader pattern of credential harvesting and follow-on activity observed in this campaign.

The pattern behind these attacks is becoming clear. This is not your run-of-the-mill opportunistic targeting of random vulnerable projects. They are aiming at scanners, GitHub Actions, and other developer infrastructure that already sit inside CI/CD pipelines and enterprise environments. This positioning allows attackers to harvest credentials, access sensitive systems, and identify weaknesses across organizations using these tools.

We've had customers and partners asking us why these security tools are being targeted so aggressively. Socket CTO Ahmad Nassri, former npm CTO, explained it this way:

These tools are secret + infrastructure + code security scanners by design. If attackers penetrate the tools, and those tools are used in enterprise environments, they gain access to those environments… banks, telecom, hospitals. They get secrets, and a direct view into where the weak points are.

CI/CD systems are being tapped as the primary entry point, with autonomous, self-propagating OSS registry attacks as a frequent follow-on.

“That’s why they are targeting GitHub Actions specifically," Nassri said. "It’s the release vector for open source images and binaries.”

This kind of access can be monetized in a multitude of ways, even when the campaign is framed as disruptive or ideological.

The tone of these messages, combined with the rapid expansion across ecosystems, makes it clear they are out for blood.

As security researcher Adnan Khan pointed out, with the Trivy compromise, TeamPCP has effectively turned one of the most widely used vulnerability scanners into an infostealer inside CI pipelines.

That means organizations running these tools may have had secrets, credentials, and infrastructure data silently exfiltrated during normal security scans. If you haven’t yet implemented continuous monitoring of your OSS dependencies and CI/CD workflows, there’s no reliable way to understand your exposure in incidents like this.

For reference, here are the pieces we’ve published tracking this activity:

• Trivy Supply Chain Attack Expands to Compromised Docker Images
• CanisterWorm: npm Publisher Compromise Deploys Backdoor Across 29+ Packages
• Trivy Under Attack Again: Widespread GitHub Actions Tag Compromise Exposes CI/CD Secrets

The Trivy maintainers are currently using a GitHub discussion as an ad hoc incident response room while downstream users are trying to figure out whether they’ve been owned. People are asking basic, urgent questions like which versions were malicious, whether Docker images were affected, what the exact exposure windows were, whether mirrors were still serving bad images, and whether self-hosted runners were now broken.

This thread has deteriorated into the kind of post-incident chaos you never want to see in a canonical advisory discussion. People are arguing about npm, arguing about zero trust, arguing about whether others are being helpful, dropping raw malware analysis into comments, reverse-engineering payload behavior in public, correcting each other on signing and pinning semantics, and generally scrambling for clear guidance.

At the same time, it’s important to recognize the reality of open source here. Even widely adopted security tools, including those backed by commercial vendors, are often not resourced or structured to handle this level of coordinated, fast-moving, multi-stage attack in real time. This is not a referendum on Trivy’s security practices or GitHub’s platform security. This first strike shows what we’re up against and how important it is to share information to stay ahead of these attacks.

With how heavily these threat actors are targeting developer and security tools right now, we expect to see more incidents like this. Organizations need to be prepared for that reality. We’re continuing to monitor these attacks as they expand across ecosystems and will share updates as more details emerge.