TeamPCP Cloud stealer credential-stealing operation
Malware Activity
Summary
Hide ▲
Show ▼
TeamPCP Cloud stealer was used in poisoned GitHub Actions and extension payloads that hit Checkmarx workflows, expanding a supply-chain credential-theft operation across trusted developer systems. The malware steals SSH keys, cloud credentials, CI/CD secrets, and wallet data, then exfiltrates them to checkmarx[.]zone. The same payload lineage also shows reuse after the earlier Trivy compromise, raising the risk of follow-on repository poisoning.
Related Happenings
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
Campaign
H score56
First: 12.05.2026 14:29
Last: 12.05.2026 14:29
Sources 1
About this happening:
The **Shai-Hulud** **supply-chain campaign** now includes a fresh **PyPI** wave that compromised **19 packages** across **37 malicious releases**, with popular bioinformatics tool...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
CampaignAbout this happening: The **Shai-Hulud** **supply-chain campaign** now includes a fresh **PyPI** wave that compromised **19 packages** across **37 malicious releases**, with popular bioinformatics tool...
Rogue Checkmarx Jenkins AST plugin release on Jenkins Marketplace
Security Tool/Service
H score28
First: 12.05.2026 01:03
Last: 12.05.2026 01:03
Sources 1
About this happening:
A **rogue 2026.5.09 release** of the **Checkmarx Jenkins AST plugin** was uploaded to **repo.jenkins-ci.org**, undermining trust in a security-scanning component used in **Jenkins...
Rogue Checkmarx Jenkins AST plugin release on Jenkins Marketplace
Security Tool/ServiceAbout this happening: A **rogue 2026.5.09 release** of the **Checkmarx Jenkins AST plugin** was uploaded to **repo.jenkins-ci.org**, undermining trust in a security-scanning component used in **Jenkins...
PCPJack credential theft framework worms across exposed cloud infrastructure
Malware Activity
H score27
First: 08.05.2026 12:00
Last: 08.05.2026 12:00
Sources 1
About this happening:
The **PCPJack** malware activity is extending a **credential-theft** operation across **exposed cloud infrastructure**, stripping **TeamPCP** artifacts and stealing access from se...
PCPJack credential theft framework worms across exposed cloud infrastructure
Malware ActivityAbout this happening: The **PCPJack** malware activity is extending a **credential-theft** operation across **exposed cloud infrastructure**, stripping **TeamPCP** artifacts and stealing access from se...
PCPJack TeamPCP-targeting cloud credential theft campaign
Campaign
H score37
First: 08.05.2026 12:00
Last: 08.05.2026 12:00
Sources 1
About this happening:
A new **PCPJack** campaign is targeting **TeamPCP victims** by **worming across exposed cloud infrastructure**, creating a fresh risk of credential theft and unauthorized reuse of...
PCPJack TeamPCP-targeting cloud credential theft campaign
CampaignAbout this happening: A new **PCPJack** campaign is targeting **TeamPCP victims** by **worming across exposed cloud infrastructure**, creating a fresh risk of credential theft and unauthorized reuse of...
PCPJack Linux cloud credential-theft and persistence framework
Malware Activity
H score34
First: 07.05.2026 21:35
Last: 07.05.2026 21:35
Sources 1
About this happening:
**PCPJack** is a **Linux cloud malware framework** that steals credentials from **exposed cloud systems** and now has been tied to a **covert SMTP relay network** running on **AWS...
PCPJack Linux cloud credential-theft and persistence framework
Malware ActivityAbout this happening: **PCPJack** is a **Linux cloud malware framework** that steals credentials from **exposed cloud systems** and now has been tied to a **covert SMTP relay network** running on **AWS...
Latest development: 05.06.2026 08:34
Hunt.io reported that PCPJack hijacked cloud servers associated with Amazon Web Services (AWS), Google Cloud, and Microsoft Azure and quietly converted compromised business servers across the U.S., Europe, and Asia into SMTP proxies for a covert email relay pipeline. The recovered infrastructure included open directories on C2 213.136.80[.]73 containing source code, compiled binaries, deployment state logs, internet scanners, exploitation tooling, and a live Sliver configuration, plus Sliver-integrated SMTP proxy deployment tooling, Chisel binaries, and a persistent chisel_verifier.py process that checked relay capability and removed failed tunnels. Verified proxies were enriched with exit IP address, country, and ASN via api.ipify[.]org and ip-api[.]com, then synced every five minutes to 38.242.204[.]245, with the observed outcome reaching 230 nodes.
Timeline
-
23.04.2026 22:21 1 articles · 2mo ago
TeamPCP compromises Bitwarden CLI npm package
Campaign Scope UpdateThreat actors published a malicious @bitwarden/cli version 2026.4.0 on April 22, 2026, likely through a compromised GitHub Action in Bitwarden's CI/CD pipeline, and used bw_setup.js and bw1.js to download Bun, steal developer secrets, and exfiltrate AES-256-GCM-encrypted data through public GitHub repositories under victim accounts.
Show sources
- Bitwarden CLI npm package compromised to steal developer credentials — www.bleepingcomputer.com — 23.04.2026 22:21
-
24.03.2026 11:29 1 articles · 3mo ago
TeamPCP Cloud stealer credential-stealing operation
Initial DisclosureThe first observed phase used compromised **GitHub Actions** to inject the stealer into trusted automation and send encrypted archives to **checkmarx[.]zone**. That delivery pattern then broadened into malicious extensions and persistence on non-CI hosts.
Show sources
- TeamPCP Hacks Checkmarx GitHub Actions Using Stolen CI Credentials — thehackernews.com — 24.03.2026 11:29