CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

TeamPCP escalates CanisterWorm campaign with geopolitical targeting and multi-vector attacks

First reported
Last updated
3 unique sources, 12 articles

Summary

Hide ▲

TeamPCP has escalated its multi-vector CanisterWorm campaign into a geopolitically targeted operation, now confirmed to have leveraged the Trivy supply-chain attack as an access vector for the Checkmarx compromise. The group compromised PyPI packages (LiteLLM versions 1.82.7–1.82.8 and Telnyx versions 4.87.1–4.87.2) and Checkmarx KICS tooling to deliver credential-stealing malware, harvesting SSH keys, cloud credentials, Kubernetes secrets, database credentials, cryptocurrency wallets, TLS/SSL private keys, and bash history files. Checkmarx has publicly confirmed that the LAPSUS$ threat group leaked data stolen from its private GitHub repository, with access facilitated by the Trivy compromise attributed to TeamPCP. The leaked data, published on both dark web and clearnet portals, did not contain customer information, and Checkmarx has blocked access to the affected repository pending forensic investigation. The campaign’s scope expanded from initial npm package compromises to include GitHub repository hijacking (e.g., Aqua Security), Docker Hub compromise, and CI/CD pipeline targeting, while destructive payloads in Iranian Kubernetes environments highlight TeamPCP’s geopolitical alignment.

Timeline

  1. 23.03.2026 22:09 8 articles · 1mo ago

    TeamPCP launches Iran-targeted wiper and expanded Kubernetes attacks using CanisterWorm C2

    The Telnyx PyPI compromise (versions 4.87.1 and 4.87.2) further demonstrates TeamPCP’s operational tempo and evolving tactics. The LiteLLM compromise (versions 1.82.7–1.82.8) expanded the attack surface by activating infostealer malware during installation/updates, systematically harvesting SSH keys, cloud credentials (AWS, Azure, GCP), Docker configurations, and other sensitive data from developer endpoints. The malware exfiltrated stolen data to attacker-controlled infrastructure and established persistence, aligning with prior compromises of developer and security tools (e.g., Trivy, LiteLLM). This development reinforces the assessment that TeamPCP is leveraging supply-chain compromises to convert credential harvesting into larger-scale operations, including geopolitically motivated destructive payloads (e.g., time-zone/locale-based wipers in Kubernetes environments). The new April 22, 2026 npm attack, while not yet attributed to TeamPCP, highlights the escalation of self-propagating supply-chain threats beyond TeamPCP’s operations, targeting AI agent tooling and database packages with credential theft and multi-ecosystem propagation mechanisms. The Namastex Labs compromise (16 packages) and compromised 'xinference' Python package demonstrate the broadening threat landscape, with exfiltration to telemetry.api-monitor[.]com and ICP canister cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0[.]io. On April 22, 2026, a coordinated attack on Checkmarx ecosystems was disclosed: malicious images were pushed to the official "checkmarx/kics" Docker Hub repository, overwriting existing tags (v2.1.20, alpine) and introducing a malicious v2.1.21 tag. The malware bundled modified KICS binaries with data collection and exfiltration capabilities, sending encrypted scan reports to external endpoints. Additionally, infected Visual Studio Code extensions (versions 1.17.0 and 1.19.0) executed unauthorized remote addons via Bun using hardcoded GitHub URLs. The incident exposed credentials in Terraform, CloudFormation, or Kubernetes configurations to malicious scans, prompting remediation actions. Techniques and exfiltration infrastructure resemble TeamPCP's CanisterWorm operations, though attribution remains unconfirmed.

    Show sources
    Open in new tab
  2. 21.03.2026 09:28 11 articles · 1mo ago

    CanisterWorm escalates from manual npm package compromise to fully automated self-propagating supply chain worm via ICP canisters

    Checkmarx publicly confirmed that the LAPSUS$ threat group leaked data stolen from its private GitHub repository, with the access vector linked to the Trivy supply-chain attack attributed to TeamPCP. The company stated that the leaked data was published on both dark web and clearnet portals, though it does not contain customer information. Checkmarx blocked access to the affected GitHub repository during an ongoing forensic investigation. The article also clarifies that attackers renewed access or maintained month-long persistence to publish malicious Docker images, VS Code, and Open VSX extensions for Checkmarx’s KICS security scanner on April 22, 2026, which aligns with prior reporting on the campaign's multi-vector tactics.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Targeted social engineering of Axios maintainer enables UNC1069 npm supply chain compromise via WAVESHAPER.V2 implant

A maintainer of the widely used Axios npm package was targeted in a highly tailored social engineering campaign attributed to North Korean threat actor UNC1069, resulting in the compromise of npm account credentials and the publication of two trojanized versions of Axios (1.14.1 and 0.30.4). Google Threat Intelligence Group (GTIG) attributed the attack to UNC1069 based on the use of WAVESHAPER.V2 and infrastructure overlaps with past activities. The malicious packages were available for roughly three hours and injected a plain-crypto-js dependency that installed a cross-platform RAT, enabling credential theft and downstream compromise. The campaign also targeted additional maintainers, including Pelle Wessman (Mocha framework) and Node.js core contributors, revealing a coordinated effort against high-impact maintainers. The intrusion began with reconnaissance-driven impersonation of a legitimate company founder, engagement via a cloned Slack workspace and Microsoft Teams call, and execution of a fake system update that deployed the RAT. Post-incident, the maintainer reset devices, rotated all credentials, adopted immutable releases, introduced OIDC-based publishing flows, and updated GitHub Actions workflows to mitigate future risks.

Open in new tab

Supply chain compromise of axios npm package delivers cross-platform RATs via malicious dependency

A North Korea-nexus threat actor (UNC1069) compromised the npm account of axios maintainer Jason Saayman via a two-week social engineering campaign and published malicious axios versions v1.14.1 and v0.30.4 containing the plain-crypto-js dependency to deliver cross-platform RATs with full unilateral control capabilities, bypassing 2FA. The attack’s blast radius has expanded beyond developer ecosystems after OpenAI revealed that a GitHub Actions workflow used for macOS app signing downloaded the malicious axios library, prompting OpenAI to revoke its macOS app certificate as a precaution despite no evidence of compromise. This incident underscores the escalating risks of supply chain compromises, with Google warning that hundreds of thousands of stolen secrets from the axios and Trivy attacks could fuel further software supply chain attacks, SaaS compromises, ransomware, and cryptocurrency theft. The campaign reflects an industrialized social engineering model targeting high-value individuals and open source maintainers, leveraging AI-enhanced trust-building and matured attacker tooling. Additional supply chain attacks in March 2026, such as the compromise of Trivy by TeamPCP (UNC6780), have compounded the threat landscape, exposing organizations like the European Commission and Mercor to downstream risks.

Open in new tab

Ongoing Ghost Cluster Targets npm and GitHub in Multi-Stage Credential and Crypto Wallet Theft Campaign

A coordinated campaign tracked as Ghost continues to target developers via malicious npm packages and GitHub repositories to deploy credential stealers and cryptocurrency wallet harvesters. The operation leverages social engineering and multi-stage infection chains, including fake installation wizards that request sudo/administrator privileges and deceptive npm logs simulating dependency downloads and progress indicators. Stolen data—including browser credentials, crypto wallets, SSH keys, and cloud tokens—is exfiltrated to Telegram channels and BSC smart contracts. The campaign employs a dual monetization model combining credential theft via Telegram channels with affiliate link redirections stored in a BSC smart contract. Malicious npm packages first appeared under the user 'mikilanjijo', with operations beginning as early as February 2026 and expanding to at least 11 packages such as react-performance-suite and react-query-core-utils. The final payload is a remote access trojan that downloads from Telegram channels, decrypts using externally retrieved keys, and executes locally using stolen sudo passwords to harvest credentials and deploy GhostLoader.

Open in new tab

Supply chain compromise in Trivy scanner triggers CanisterWorm propagation across CI/CD pipelines

Supply chain compromise in the Trivy vulnerability scanner triggered the CanisterWorm propagation across CI/CD pipelines, now expanding to additional open-source ecosystems and involving multiple advanced threat actors. The TeamPCP threat group continues to monetize stolen supply chain secrets through partnerships with extortion groups including Lapsus$ and the Vect ransomware operation, with Wiz (Google Cloud) and Cisco confirming collaboration and horizontal movement across cloud environments. A new npm supply chain malware campaign discovered on April 24, 2026, shows self-propagating worm-like behavior via @automagik/genie and pgserve packages, stealing credentials and spreading across developer ecosystems while using Internet Computer Protocol (ICP) canisters for command and control. The malware shares technical similarities with prior TeamPCP campaigns, including post-install scripts and canister-based infrastructure, potentially indicating ongoing evolution of the threat actor's tactics or a new campaign leveraging established infrastructure. The Axios NPM package compromise via malicious versions 0.27.5 and 0.28.0 delivered a multi-platform RAT through a malicious dependency impersonating crypto-js, with attribution disputes suggesting either TeamPCP involvement or North Korean actor UNC1069 (Google's Threat Intelligence Group). Cisco's internal development environment was breached using stolen Trivy-linked credentials via a malicious GitHub Action, resulting in the theft of over 300 repositories including proprietary AI product code and customer data from banks, BPOs, and US government agencies. Multiple AWS keys were abused across a subset of Cisco's cloud accounts, with multiple threat actors participating in the breach.

Open in new tab

Tag poisoning in Trivy GitHub Actions repositories delivers cloud-native infostealer payload

Attackers compromised two official Trivy-related GitHub Actions repositories—aquasecurity/trivy-action and aquasecurity/setup-trivy—and backdoored Trivy v0.69.4 releases, distributing a Python-based infostealer that harvests wide-ranging CI/CD and developer secrets. The payload executes in GitHub Actions runners and Trivy binaries, remaining active for up to 12 hours in Actions tags and three hours in the malicious release. The actors leveraged compromised credentials from a prior March incident and added persistence via systemd services, while also linking to a follow-up npm campaign using the CanisterWorm self-propagating worm. The incident traces to a credential compromise initially disclosed in early March 2026, which was not fully contained and enabled subsequent tag and release manipulations. Safe releases are now available and mitigation includes pinning Actions to full SHA hashes, blocking exfiltration endpoints, and rotating all affected secrets.

Open in new tab