Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

TeamPCP Cloud stealer credential-stealing operation

Malware Activity
First reported
Last updated
Happening score
H score 50
2 unique sources, 2 articles

Summary

Hide ▲

TeamPCP Cloud stealer was used in poisoned GitHub Actions and extension payloads that hit Checkmarx workflows, expanding a supply-chain credential-theft operation across trusted developer systems. The malware steals SSH keys, cloud credentials, CI/CD secrets, and wallet data, then exfiltrates them to checkmarx[.]zone. The same payload lineage also shows reuse after the earlier Trivy compromise, raising the risk of follow-on repository poisoning.

Related Happenings

Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials

Campaign
First: 12.05.2026 14:29 Last: 12.05.2026 14:29 Sources 1

About this happening: The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...

Open Happening

Rogue Checkmarx Jenkins AST plugin release on Jenkins Marketplace

Security Tool/Service
First: 12.05.2026 01:03 Last: 12.05.2026 01:03 Sources 1

About this happening: A **rogue 2026.5.09 release** of the **Checkmarx Jenkins AST plugin** was uploaded to **repo.jenkins-ci.org**, undermining trust in a security-scanning component used in **Jenkins...

Open Happening

PCPJack credential theft framework worms across exposed cloud infrastructure

Malware Activity
First: 08.05.2026 12:00 Last: 08.05.2026 12:00 Sources 1

About this happening: The **PCPJack** malware activity is extending a **credential-theft** operation across **exposed cloud infrastructure**, stripping **TeamPCP** artifacts and stealing access from se...

Open Happening

PCPJack TeamPCP-targeting cloud credential theft campaign

Campaign
First: 08.05.2026 12:00 Last: 08.05.2026 12:00 Sources 1

About this happening: A new **PCPJack** campaign is targeting **TeamPCP victims** by **worming across exposed cloud infrastructure**, creating a fresh risk of credential theft and unauthorized reuse of...

Open Happening

PCPJack Linux cloud credential-theft and persistence framework

Malware Activity
First: 07.05.2026 21:35 Last: 07.05.2026 21:35 Sources 1

About this happening: The **PCPJack** malware framework is stealing credentials from **exposed Linux cloud systems**, creating a broad risk of account takeover and lateral movement. It targets services...

Open Happening

Timeline

  1. 23.04.2026 22:21 1 articles · 1mo ago

    TeamPCP compromises Bitwarden CLI npm package

    Campaign Scope Update

    Threat actors published a malicious @bitwarden/cli version 2026.4.0 on April 22, 2026, likely through a compromised GitHub Action in Bitwarden's CI/CD pipeline, and used bw_setup.js and bw1.js to download Bun, steal developer secrets, and exfiltrate AES-256-GCM-encrypted data through public GitHub repositories under victim accounts.

    Show sources
    Open in new tab
  2. 24.03.2026 11:29 1 articles · 2mo ago

    TeamPCP Cloud stealer credential-stealing operation

    Initial Disclosure

    The first observed phase used compromised **GitHub Actions** to inject the stealer into trusted automation and send encrypted archives to **checkmarx[.]zone**. That delivery pattern then broadened into malicious extensions and persistence on non-CI hosts.

    Show sources
    Open in new tab