FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials

devonnull4 pts0 comments

FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials

Home

Breaking News

Cyber Crime

Security

FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials

FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials

Pierluigi Paganini<br>July 04, 2026

FBI says TeamPCP poisoned trusted developer tools to steal cloud credentials, spread malware through software updates, and extort victims.

On July 2, 2026, the FBI published a FLASH alert identifying the criminal group called TeamPCP and detailing how it compromised widely used developer and security tools to steal credentials from victim environments at scale. The targets weren’t end users. They were the tools developers trust every day inside their build pipelines.

TeamPCP is behind multiple supply chain attacks, in the past, they targeted PyPI packages and NPM repositories, and most recently the “Mini Shai-Hulud” campaign also caught two OpenAI employees. The pattern is consistent: go after the tools developers trust, poison the supply chain, and let the downstream damage multiply.

TeamPCP’s method was straightforward and effective: inject malicious code into legitimate software packages, push the trojanized versions through normal distribution channels, and wait for CI/CD pipelines to pull them in automatically. The modified tools installed credential-stealing malware and persistent backdoors without any visible sign that anything had changed.

"TeamPCP actors have conducted large-scale software supply chain compromises by targeting widely used developers and security tools, gaining access to victim environments and extracting sensitive data, including but not limited to cloud access tokens, SSH keys, and Kubernetes secrets." FBI’s FLASH states.

The confirmed list of modified tools includes Trivy, a widely used container vulnerability scanner; KICS, a static analysis tool for infrastructure-as-code; LiteLLM, a popular library for routing requests across AI model APIs; and the Telnyx Python SDK.

These aren’t niche utilities. They’re commonly integrated into enterprise CI/CD pipelines, cloud infrastructure workflows, and security scanning processes. Hitting them means hitting a large number of organizations simultaneously through a single poisoned update.

The group also deployed four distinct malware families. CanisterWorm harvested cloud access tokens, credentials, and API keys for AWS, GCP, and Azure. SANDCLOCK extracted AWS credentials, Kubernetes ServiceAccount tokens, local environment variables, and cryptocurrency wallet data. Mini Shai-Hulud was a self-replicating worm designed to spread across both npm and PyPI registries. Miasma was a variant of Mini Shai-Hulud that propagated across those same open-source registries while harvesting credentials and poisoning configuration files.

The worm component is the part that deserves particular attention. Mini Shai-Hulud and its Miasma variant didn’t just infect the initial target and stop. They spread across open-source package registries autonomously, harvesting credentials and poisoning configuration files as they went. The FBI confirmed two GitHub repository names used for exfiltration: tpcp-docs and docs-tpcp. If either of those repository names appears in your GitHub organization, the worm created it using stolen credentials.

"By weaponizing these supply chain entry points, the threat actors were able to introduce malicious code into victim environments at scale. TeamPCP has also engaged in extortion and collaboration with cyber actors from other threat actor groups, including publishing victim names on a public leak site and threatening disclosure of stolen data." states the alert.

The FBI warns that credentials and data stolen in this campaign should be considered permanently compromised, as they could be reused by TeamPCP or affiliated threat actors in future attacks, even months or years after the initial breach.

"Organizations impacted by this campaign should treat exfiltrated data and credentials as a persistent risk, as affiliated threat actors are likely to weaponize them long after the initial compromise." concludes the alert.

That’s not a hypothetical. It means credentials stolen in this campaign may surface in attacks months or years from now, even after the immediate incident is closed.

How they got into npm accounts?

One technique the FBI specifically flags is worth calling out: TeamPCP exploited npm package maintainer accounts by targeting stale or expired recovery email domains. If a developer registered an npm account years ago with a work email that’s since been decommissioned, the domain may be available for registration. Whoever registers it can use the password reset flow to take over the npm account and publish malicious versions of whatever packages that maintainer owns. It’s an old technique, and it still works because nobody audits their old recovery emails.

The four CVEs associated with this campaign are CVE-2026-33634, CVE-2026-48027,...

credentials teampcp tools cloud compromised steal

Related Articles