In a significant escalation of their activities, the hacking group known as TeamPCP has broadened its reach across several open-source platforms, including Docker Hub, VS Code, and PyPI. This expansion from their initial Trivy supply chain attack indicates a strategic partnership with the Lapsus$ gang, likely aimed at monetizing their efforts.
The initial breach within Aqua Security’s Trivy vulnerability scanner began when hackers exploited an unrotated access token in late February. This oversight allowed them ongoing access, leading to the compromise of important repositories. Reports from OpenSourceMalware suggest that the attackers gained admin control through a compromised Argon-DevOps-Mgt service account token.
Expanding Impact on Open-Source Platforms
TeamPCP, also known under aliases like DeadCatx3 and ShellForce, has been linked to previous attacks on Docker and Kubernetes, leveraging vulnerabilities like React2Shell. The current campaign, tracked as CVE-2026-33634 with a critical CVSS score of 9.4, involves releasing malicious packages and manipulating GitHub Action tags to deploy malware capable of stealing sensitive data.
By mid-March, similar tactics were employed against Xygeni, compromising automation credentials to insert malicious code. These actions underscore the necessity for robust repository protection and credential management, as highlighted in Xygeni’s incident report.
Continued Threats and Mitigation Efforts
Despite efforts to contain the spread of malware in Trivy repositories starting March 19, it took five days to fully remove the attackers. During this period, TeamPCP continued to publish malicious Docker Hub images, revealing persistent access. Aqua Security is now working with Sygnia to document and remediate the incident thoroughly.
Security reports suggest over 10,000 CI/CD workflows were affected, with malicious code executing automatically, compromising credentials and infrastructure. CrowdStrike’s analysis highlights the stealth of these attacks, noting the removal of temporary files post-execution to avoid detection.
Potential Long-Term Implications
The attack’s broad scope is further evidenced by TeamPCP’s recent intrusion into Checkmarx’s KICS project, spreading malicious versions of plugins across the OpenVSX marketplace. This breach is similar in methodology to the Trivy attack, exploiting GitHub Actions vulnerabilities to disseminate harmful payloads.
Organizations affected by these breaches are urged to rotate all compromised credentials, investigate potential infections, and reinforce their security protocols. The widespread nature of the attacks, including the compromise of LiteLLM on PyPI, signals a concerted effort to exploit valuable credentials across multiple systems.
The partnership with Lapsus$ suggests an alarming trend towards monetizing these breaches through extortion. As TeamPCP continues to claim responsibility for these widespread attacks, the cybersecurity community must remain vigilant against further threats emerging from this collaboration.
