TeamPCP has escalated its multi-vector CanisterWorm campaign into a geopolitically targeted operation, compromising trusted PyPI packages (LiteLLM versions 1.82.7–1.82.8 and Telnyx versions 4.87.1–4.87.2) to deliver credential-stealing malware that harvests SSH keys, cloud credentials, Kubernetes secrets, database credentials, cryptocurrency wallets, TLS/SSL private keys, and bash history files. The malware exfiltrates stolen data to attacker-controlled infrastructure and establishes persistent backdoors, with evidence linking TeamPCP to the Vectr ransomware group for follow-on operations.
The campaign began as a supply-chain attack involving 47 compromised npm packages and escalated to include GitHub repository hijacking (e.g., Aqua Security), Docker Hub compromise, and direct targeting of CI/CD pipelines via GitHub Actions workflows (e.g., Checkmarx, Trivy). Recent compromises of LiteLLM and Telnyx demonstrate rapid iteration and maturation of supply-chain attack methodology, while destructive payloads targeting Iranian systems in Kubernetes environments (e.g., time-zone/locale-based wipers) highlight the group’s geopolitical alignment. The LiteLLM compromise specifically turned developer endpoints into systematic credential harvesting operations, with malware activating during installation/updates and cascading through transitive dependencies (e.g., dspy, opik) to affect organizations that never directly used LiteLLM.
A coordinated attack on Checkmarx ecosystems has been discovered, including malicious images pushed to the official "checkmarx/kics" Docker Hub repository (v2.1.20, alpine overwritten; v2.1.21 introduced) and infected Visual Studio Code extensions (1.17.0, 1.19.0) that executed remote addons via Bun without user consent. The malware collected and exfiltrated sensitive data from infrastructure-as-code scans, exposing credentials in Terraform, CloudFormation, or Kubernetes configurations. Techniques and exfiltration infrastructure (e.g., ICP canister cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0.io) resemble TeamPCP's CanisterWorm operations, though attribution remains unconfirmed. The Docker Hub repository has been archived, and affected organizations must remediate potentially compromised secrets.