Content Fans

TeamPCP supply chain attacks compromise 500+ software packages

Serge Bulaev

Serge Bulaev

TeamPCP may have compromised over 500 software packages in a series of supply chain attacks since March 2026. The attacks appear to have targeted trusted developer tools and spread to many ecosystems, including npm, Docker, and PyPI, mainly to steal credentials like GitHub tokens and cloud secrets. Researchers suggest the campaign used a shared tool and centralized control, and that any secrets exposed during affected workflows should be considered compromised. There is concern that TeamPCP might try new methods in the future, including targeting developer environments and IDEs. Security teams are advised to review their tools and rotate credentials as a precaution.

TeamPCP supply chain attacks compromise 500+ software packages

TeamPCP targeted trusted developer tools and spread across multiple ecosystems, but the cited sources do not establish that it compromised 500+ software packages since March 2026, targeting trusted developer tools across key ecosystems like npm, PyPI, and Docker. The primary goal of this sophisticated campaign was large-scale credential theft, including GitHub tokens and cloud secrets. Experts warn that any secrets exposed in affected workflows should be considered compromised. This analysis breaks down the attack vectors, impact, and critical defense strategies.

Anatomy of the Attack: How the Campaign Unfolded

Security researchers tracked at least seven distinct attack waves between March 19 and April 24, 2026. The campaign began with malicious tags being force-pushed to Aqua Security's popular Trivy GitHub Action. A nearly identical payload appeared in a Checkmarx Action just days later, indicating a coordinated effort. Analysis from Sysdig revealed a shared credential-stealing tool and centralized command infrastructure across the incidents.

Key Statistics

The TeamPCP campaign was a multi-stage software supply chain attack that breached popular developer tools like Trivy and Checkmarx. The attackers injected malicious code designed to steal credentials and then used those stolen secrets to spread the compromise to other packages across npm, PyPI, and Docker.

Attack Trajectory: Cross-Registry Contamination

The initial compromises of the Trivy and Checkmarx GitHub Actions had a cascading effect. The attack spread to at least 66 npm packages, several OpenVSX extensions, and multiple Docker Hub images. Further investigation uncovered 84 poisoned versions across 42 @tanstack npm packages. The attackers also deployed payloads to PyPI, the GitHub Container Registry (GHCR), and Amazon ECR, demonstrating a worm-like technique that leveraged stolen tokens to expand their reach across different software registries.

Primary Objective: Large-Scale Credential Theft

The central goal of the TeamPCP campaign was not just code manipulation but widespread credential harvesting. The malware actively scanned for GitHub personal access tokens (PATs), cloud provider secrets (AWS, Azure, GCP), npm tokens, and even cryptocurrency wallet keys. Security experts strongly advise that any secret exposed to a CI/CD runner during an affected workflow must be treated as compromised, necessitating the immediate rotation of all related credentials.

Your Immediate Mitigation Checklist

  • Audit & Isolate: Audit CI/CD pipelines and isolate or disable the specific affected artifacts and workflows tied to the TeamPCP/Trivy/Checkmarx supply-chain incidents, especially the listed compromised Docker tags and related release pipelines.
  • Rotate All Credentials: Immediately rotate all GitHub PATs, npm tokens, and cloud credentials that were used in or exposed to potentially compromised CI/CD runners.
  • Harden CI/CD Configuration: Pin all third-party GitHub Actions to a specific commit SHA, not a mutable tag. Additionally, restrict the use of pull_request_target events to prevent untrusted code from accessing secrets.
  • Scan for Indicators of Compromise (IOCs): Review runner logs for download calls to tpcp.tar.gz or outbound network connections to checkmarx.zone.
  • Monitor Publishing Activity: Watch for unusual bursts of new package versions being published, a known hallmark of the TeamPCP propagation method.

Future Threats: The Evolution of TeamPCP Tactics

This campaign signals a tactical evolution for TeamPCP. According to industry reports, the group has shown interest in expanding beyond package poisoning to target developer environments more directly. This suggests the attackers are actively probing new trust boundaries and may target IDEs and local developer machines in future campaigns. Consequently, security teams must expand their focus from just software dependencies to securing the entire developer environment.

What Makes the TeamPCP Attacks Unique?

Unlike typical open-source attacks, TeamPCP specifically targets CI/CD trust infrastructure itself as the primary goal. Across at least seven confirmed waves, the group force-pushed malicious commits to official repositories, extracted OIDC tokens from runner memory to impersonate legitimate publishers, and immediately reinvested stolen secrets to compromise new targets. This creates a self-propagating attack loop that escalates with each compromise.

Is the "500+ Compromised Packages" Figure Accurate?

The widely cited figure of "500+ compromised packages," popularized by outlets like Wired, should be viewed as a severity estimate rather than a verified count. This number is an aggregation of known incidents, including 84 malicious TanStack versions and at least 66 affected npm packages, plus an un-audited number of images on Docker Hub and other registries. While plausible, a consolidated, authoritative list has not been published.

What Types of Secrets Were Stolen?

Case studies confirm the malware scanned for over a dozen credential types, including GitHub and npm tokens, cloud service principal keys (AWS, Azure, GCP), Kubernetes kubeconfig files, SSH private keys, and database connection strings. These stolen secrets were exfiltrated to a command-and-control server in real-time and quickly weaponized to launch new attacks or were sold on cyber-crime forums.

What Are the Key Architectural Defenses?

Beyond immediate fixes, long-term architectural changes are crucial. Transition high-value credentials away from environment variables and into vault-backed OIDC providers. Implement CI/CD runtime security tools to block unexpected network calls from build jobs. Finally, enforce a policy requiring two-person manual approval for any workflow that publishes releases to a public registry.

Can Automated Tooling Prevent the Next Attack?

Yes, detection capabilities are rapidly improving. Vendor data shows that while malware samples are increasing, the median time to flag a threat has dropped significantly in repositories using modern security tools. A combination of dependency-graph analytics, package behavior baselining, and strict SHA-pinning policies can provide warnings within minutes of a malicious push, offering a crucial window to block attacks before they propagate.