← Dispatches

TLP:CLEAR · 2026-07-05

Know Your Adversary: TeamPCP

TeamPCP has carried that handle since late 2025. Three days ago the FBI formally attributed the campaign in FLASH-20260702-01. They poisoned Trivy, KICS, and LiteLLM to steal cloud credentials — then wormed npm and GitHub. Here is the full adversary bio, what the flash adds, and the C2 IP still answering after the domains died.

This is the first entry in Know Your Adversary — Intercept Cell's standing series on the groups behind the infrastructure we track. Not a malware writeup. Not a CVE recap. A dossier: who they are, how they operate, what they want, and where to look for them next.

On July 2, 2026, the FBI Cyber Division and DHS/CISA published FLASH-20260702-01, formally attributing the supply-chain campaign to TeamPCP — a handle the group has used publicly since at least December 2025 (PCPcat, @pcpcats, leak-site branding). Industry researchers (Unit 42, SANS, CSA, Trend Micro) have tracked them under that name for months; the flash is the first U.S. government advisory to put the label on the official record. We read the flash, pulled the public research trail, and ran our own pivots on the indicator set three days later. This dispatch is the bio, the FBI synthesis, and what we found that the flash does not emphasize.

Executive Summary

TeamPCP is a credential-centric supply chain predator. They do not phish developers with fake login pages. They trojanize the security and AI tooling inside CI/CD — Trivy, Checkmarx KICS, LiteLLM, Telnyx SDK, npm packages, Docker images — then harvest cloud access tokens, SSH keys, Kubernetes secrets, GitHub PATs, and LLM API keys at scale. Stolen publish tokens feed self-propagating worms (CanisterWorm, Mini Shai-Hulud / Miasma) that spread without further operator action.

The group also runs a double-extortion program: victim names on a Tor leak site, proof dumps via IPFS, negotiation over Tox/Session/SimpleX. Google Threat Intelligence Group tracks the operators as UNC6780. Industry reporting ties them to collaborations with Vect ransomware affiliates and claimed alliances with LAPSUS$-style extortion crews on high-profile data.

Intercept Cell addendum (2026-07-05): Most FBI-listed domains are dead or sinkholed, but `45.148.10.212` still serves Caddy vhosts for `checkmarx.zone` on port 80 even though the domain has no A record. Block the IP, not just the domain list.

Who They Are

FieldAssessment
Primary nameTeamPCP / Team PCP
Tracking IDsUNC6780 (Google GTIG), DeadCatx3, PCPcat, ShellForce, CipherForce, PersyPCP
Public persona@pcpcats on X; cat/shell aesthetic on leak sites and GitHub defacements
MotivationFinancial — credential theft, data exfiltration, extortion
Skill profileSupply chain tradecraft, CI/CD abuse, npm/PyPI worming, blockchain C2 experimentation
Victims named publicly16+ organizations per Unit 42; FBI cites ongoing leak-site publication

TeamPCP is not a nation-state actor dressing up as criminals. They are operators who learned that the fastest path to enterprise cloud credentials runs through the tools meant to secure the pipeline. Their brand is juvenile on purpose — memes, defacements, BreachForums posts — but the mechanics are not: stolen tokens become autonomous propagation, and propagation becomes cluster-wide compromise.

Timeline

DateEvent
Dec 2025PCPcat cloud credential scanner; early C2 on 67.217.57.240
Feb 27, 2026First Trivy compromise via malicious GitHub Actions workflow; exfil to recv.hackmoltrepeat.com
Mar 19–24, 2026Second Trivy wave; SANDCLOCK stealer; SANS estimates 10,000+ CI/CD workflow runs exposed in this window
Mar 20–23, 2026CanisterWorm — 47+ npm packages; ICP blockchain canister C2; Aqua Security GitHub defacement
Mar 22–24, 2026Checkmarx KICS Docker Hub poison; LiteLLM PyPI 1.82.7/1.82.8; Telnyx SDK compromise
Apr 2026Campaign pause → monetization; Cisco source theft via stolen Trivy creds reported
Apr 21–22, 2026Return: KICS cascade into Bitwarden CLI via Dependabot; CanisterSprawl npm worm; xinference PyPI
May 2026Mini Shai-Hulud / Miasma waves — TanStack, AntV, OpenSearch, Mistral, UiPath; SLSA-attested malicious publishes
Jul 2, 2026FBI FLASH-20260702-01 published

Malware Arsenal

SANDCLOCK ("TeamPCP Cloud Stealer")

Purpose-built credential harvester. Dumps GitHub Actions Runner.Worker process memory to capture secrets injected through Actions' secret-handling mechanism, then sweeps filesystems for SSH keys, ~/.aws, ~/.kube/config, Docker registry creds, and LLM keys (OPENAI_API_KEY, ANTHROPIC_API_KEY). Disguises exfil as telemetry POSTs to typosquatted monitoring domains.

CanisterWorm

Self-propagating npm worm. Steals npm publish tokens, resolves publishable packages, bumps patch versions, republishes poisoned copies with original READMEs intact. C2 via Internet Computer Protocol (ICP) canister at tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io — first documented use of ICP as supply-chain C2. Includes optional wiper component targeting Kubernetes (privileged DaemonSets) and bare-metal hosts. Masquerades as pgmon / PostgreSQL telemetry (~/.local/share/pgmon/service.py, /tmp/pglog).

Mini Shai-Hulud / Miasma

Cross-ecosystem npm/PyPI worm in the Shai-Hulud family. Creates GitHub dead-drops and unauthorized repos named `tpcp-docs` or `docs-tpcp` using stolen PATs. Intercept Cell mapped 83 live Miasma dead-drops in June 2026 (prior dispatch). Same operator ecosystem; different campaign marker.

How They Get In

TeamPCP's entry is almost always T1195.002 — Compromise Software Supply Chain:

1. Poison a trusted package or container image (Trivy, KICS, LiteLLM, etc.)

2. Developer or CI runner installs the update — looks normal

3. Stealer executes in runner memory / postinstall hooks

4. Tokens exfiltrated → npm/PyPI republish, GitHub repo creation, cloud API abuse

5. Worms propagate without operator touching each victim

6. Extortion if data is monetizable

CVEs cited in the FBI flash include CVE-2026-33634, CVE-2026-48027, CVE-2026-45321, and CVE-2025-55182 — treat these as exploited in campaign context, not as the whole story. The core play is trusted-tool trojanization, not a single RCE.

FBI FLASH-20260702-01 — What Defenders Should Carry Forward

The flash (published July 2, 2026) confirms:

- Scale: Large-scale compromises of developer and security tools

- Data at risk: Cloud tokens, SSH keys, Kubernetes secrets, API keys, crypto wallets

- Malware families: CanisterWorm, SANDCLOCK, Mini Shai-Hulud, Miasma

- GitHub hunt: Repos named `tpcp-docs` or `docs-tpcp` in your org

- Persistence: pgmon.service, sysmon.service, litellm_init.pth, archive **tpcp.tar.gz

- Extortion: Public leak site; collaboration with other criminal groups

- Immediate action: Rotate all CI/CD secrets, cloud creds, and publish tokens for environments that ran compromised versions — especially March 19–24, 2026

IOCs in the flash were sourced from Palo Alto Unit 42 and industry partners. The flash is TLP:CLEAR. Report suspected intrusions to FBI field offices or IC3.gov.

Intercept Cell Recon — Unreported & Under-Emphasized

We probed FBI-listed indicators on 2026-07-05 UTC. Most domains from the March–May waves are NXDOMAIN or sinkholed. That is good news — and a trap for defenders who block domains but not residual IPs.

HIGH — 45.148.10.212 still answers for checkmarx.zone

curl -sI -H 'Host: checkmarx.zone' http://45.148.10.212/
→ HTTP/1.1 308 Permanent Redirect
→ Location: https://checkmarx.zone/
→ Server: Caddy

checkmarx.zone has Route53 nameservers but no A record — DNS takedown without host cleanup. The IP remains routable. Block `45.148.10.212` at the firewall. Do not assume domain-only blocks cleared this infrastructure.

Flash-documented paths on this typosquat include:

- checkmarx.zone/raw — persistence dropper poll URL

- checkmarx.zone/static/checkmarxutil-1.0.4.tgz — malicious archive

HIGH — ICP canister neutralized but identifiable

tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io returns HTTP 451 with header x-ic-canister-id: tdtqy-oyaaa-aaaae-af2dq-cai. CanisterWorm's C2 channel is blocked; the canister ID remains a hunt pivot in proxy logs.

MEDIUM — litellm.cloud reclaimed

Apex domain resolves to `129.212.152.70` with a generic domain-notice parking page. `models.litellm.cloud` (flash C2 subdomain) has no DNS. Parent typosquat chain neutralized at registrar level.

MEDIUM — Co-hosted pivot on 94.154.172.43

Flash IP `94.154.172.43` reverse-resolves `deenfin.com` and `rcrconsulting.net` on the same host. Neither responded to HTTP probes from our vantage. Treat as co-location intelligence, not confirmed malicious domains, unless correlated in your logs.

MEDIUM — t.m-kosche.com DNS live, host filtered

Resolves `185.95.159.32`; TCP/443 timed out externally. Associated with Mini Shai-Hulud fake OpenTelemetry exfil (/api/public/otel/v1/traces). Keep on blocklists.

Leak site (reported, not Tor-verified here)

Multiple vendors reference TeamPCP's Tor DLS (successor to CipherForce branding):

22evxpggnkyrxpluewqsrv5j4jtde6hut2peq3w44d6ase676qlkoead.onion

We did not access Tor in this pass. Treat as reported intelligence from Trend Micro, Fortgale, and SANS diary coverage.

GitHub naming pivot

Public repo `driftline-labs/tpcp-docs` created 2026-03-24 (LiteLLM attack day). Matches FBI worm repo naming. Could be victim artifact or research sandbox — hunt in context, do not auto-block the org.

Infrastructure Map

[Developer installs poisoned Trivy/KICS/LiteLLM/npm package]
           │
           ▼
[SANDCLOCK / stealer in CI runner memory]
           │
     ┌─────┴─────┬──────────────┬────────────────┐
     ▼           ▼              ▼                ▼
[Cloud APIs] [GitHub PAT] [npm/PyPI token] [K8s secrets]
     │           │              │                │
     │           ▼              ▼                │
     │    [tpcp-docs repos] [CanisterWorm]       │
     │           │              │                │
     └───────────┴──────────────┴────────────────┘
                       │
                       ▼
              [Typosquat exfil domains]
         checkmarx.zone · models.litellm.cloud · …
                       │
                       ▼
              [Tor leak site / extortion]

What To Hunt Today

Network

- Egress to `45.148.10.212` (live as of 2026-07-05)

- HTTP header `X-Filename: tpcp.tar.gz` (LiteLLM exfil gate)

- Fake telemetry to `t.m-kosche.com` / `audit.checkmarx.cx`

Endpoint / CI

- litellm_init.pth, LiteLLM_init.pth, router_init.js, mcpAddon.js in tool install paths

- ~/.local/share/pgmon/service.py, /tmp/pglog, /tmp/transformers.pyz

- systemd units: `pgmon.service`, `sysmon.service` ("System Telemetry Service")

GitHub

- Org repos named `tpcp-docs` or `docs-tpcp`

- Commits with message `LongLiveTheResistanceAgainstMachines`

- Unexpected `claude@users.noreply.github.com` commits outside your automation

Packages

- litellm==1.82.7 or 1.82.8 on PyPI (poisoned versions)

- Unexpected patch bumps on npm scopes you maintain after March 2026

If You Were Exposed

1. Rotate everything — cloud IAM, GitHub PATs, npm/PyPI tokens, LLM keys, SSH material — assume compromise if poisoned tools ran in CI

2. Audit GitHub orgs for tpcp-docs / docs-tpcp repos

3. Pin GitHub Actions to SHA, not floating tags

4. Rebuild runners from clean images — persistence survives token rotation if the host is still owned

5. Report to FBI if you have forensic material — IC3.gov

Treat exfiltrated credentials as long-lived risk. Affiliated groups including Vect may weaponize stolen material months after the initial supply-chain event.

IOC Summary (TLP:CLEAR)

IPs

IPContextStatus (2026-07-05)
45.148.10.212checkmarx.zone C2 / exfilLIVE — block
83.142.209.11Flash listedSSH/nginx; no vhost match
83.142.209.194Flash listedSSH only
83.142.209.203Flash listedSMB/445
94.154.172.43Flash listed / telemetryPort 80; co-hosted domains
67.217.57.240PCPcat-era C2Ports closed externally
129.212.152.70litellm.cloud apexParking page (reclaimed)

Domains (flash + pivots)

checkmarx.zone · models.litellm.cloud · git-tanstack.com · recv.hackmoltrepeat.com · scan.aquasecurtiy.org · audit.checkmarx.cx · check.git-service.com · t.m-kosche.com · litellm.cloud

Other

- ICP: tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io (451 blocked)

- Repos: tpcp-docs, docs-tpcp

- Archive: tpcp.tar.gz

- Onion DLS: 22evxpggnkyrxpluewqsrv5j4jtde6hut2peq3w44d6ase676qlkoead.onion (reported)

Confidence & Limitations

- HIGH: Live Caddy response on 45.148.10.212 for checkmarx.zone; ICP canister 451; FBI flash facts as published

- MEDIUM: Co-hosted domains on 94.154.172.43; driftline-labs/tpcp-docs naming correlation; Session seed infra used by worm family

- LOW / reported only: Tor leak site contents; full victim list; operator real-world identity

This dispatch extends public reporting — it does not replace the FBI flash or Unit 42 technical papers. Read those for complete hash lists and YARA.

Credits & Further Reading

- FBI FLASH-20260702-01 (PDF) — July 2, 2026

- Palo Alto Unit 42: Weaponizing the Protectors

- SANS white paper: When the Security Scanner Became the Weapon; ISC campaign diaries through June 2026 (Updates 001–008)

- CSA Research Notes: TeamPCP / UNC6780, CanisterWorm

- Intercept Cell: Miasma dead-drop dispatch (June 2026)

*Next in Know Your Adversary: TBD. Submit candidates via contact.*

Intercept Cell Research is a Cipher Cortex research program. Hooked Scams is a scam investigation series from Intercept Cell Research.