FBI Warns TeamPCP Supply Chain Campaign Puts Developer Environments and Cloud Credentials at Risk
In 2026, the FBI issued a critical warning regarding a massive software supply chain campaign orchestrated by the threat group TeamPCP. This sophisticated attack compromised trusted software distribut

In 2026, the FBI issued a critical warning regarding a massive software supply chain campaign orchestrated by the threat group TeamPCP. This sophisticated attack compromised trusted software distribution channels, allowing hackers to inject malicious code into widely used enterprise development tools. By weaponizing these entry points, the threat actors successfully introduced malicious code into victim […] The post FBI Warns TeamPCP Supply Chain Campaign Puts Developer Environments and Cloud Credentials at Risk appeared first on Cyber Security News.
In 2026, the FBI issued a critical warning regarding a massive software supply chain campaign orchestrated by the threat group TeamPCP. This sophisticated attack compromised trusted software distribution channels, allowing hackers to inject malicious code into widely used enterprise development tools. By weaponizing these entry points, the threat actors successfully introduced malicious code into victim environments at an unprecedented scale. TeamPCP specifically targeted open-source and security components, modifying popular tools that include Trivy, KICS, LiteLLM, and the Telnyx Python SDK. Because these utilities are routinely integrated into continuous integration and continuous delivery (CI/CD) pipelines, cloud infrastructure, and automated security workflows, the compromise had cascading effects. Attackers pushed trojanized updates that appeared completely normal to developers. Behind the scenes, these updates secretly installed persistent backdoors and credential-stealing malware across downstream enterprise systems. The group has escalated its operational impact by combining supply chain poisoning with aggressive extortion tactics. TeamPCP actively collaborates with other cybercriminal syndicates to maximize the pressure on compromised organizations. The threat actors routinely publish victims’ names on public leak sites and threaten to disclose stolen proprietary data widely. The FBI warns that organizations impacted by this campaign must treat any exfiltrated data and credentials as a persistent, long-term risk. TeamPCP Supply Chain Risk TeamPCP deployed a custom arsenal of malicious tools to harvest valuable authentication credentials from compromised pipelines. The FBI identified four primary malware strains used throughout this supply chain campaign to establish persistence and steal data. Security researchers linked this widespread activity to several vulnerabilities, including CVE-2026-33634, CVE-2026-48027, CVE-2026-45321, and CVE-2025-55182. CanisterWorm harvests sensitive cloud access tokens, API keys, and credentials from environments such as Amazon Web Services (AWS), Google Cloud Platform, and Microsoft Azure. SANDCLOCK functions as a dedicated credential extraction tool targeting Kubernetes ServiceAccount tokens, local environment variables, cryptocurrency wallets, and AWS credentials. Mini Shai-Hulud is a highly aggressive, self-replicating software supply chain worm that spans both the npm and PyPI ecosystems. Miasma is a variant of Mini Shai-Hulud that self-propagates across open-source registries, systematically harvesting credentials and poisoning configuration files. Unauthorized repositories named tpcp-docs and docs-tpcp were created by the worm using stolen credentials to aid in propagation. Organizations that have been exposed to these poisoned packages must immediately initiate incident response measures. Since affiliated threat actors are highly likely to weaponize stolen credentials long after the initial breach, the FBI strongly recommends network defenders harden their CI/CD pipelines to prevent unauthorized access. The FBI urges organizations to report any suspected TeamPCP intrusions to their local field office or the Internet Crime Complaint Center at IC3.gov. Incident response teams should proactively retain all relevant forensic data, including affected package names, CI/CD pipeline logs, network traffic records, and any extortion communications. Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google. The post FBI Warns TeamPCP Supply Chain Campaign Puts Developer Environments and Cloud Credentials at Risk appeared first on Cyber Security News.
Join the Discussion
Comments coming soon. Follow us on social media for real-time discussions.


