This is the first entry in Know Your Adversary — Intercept Cell's standing series on the groups behind the infrastructure we track. Not a malware writeup. Not a CVE recap. A dossier: who they are, how they operate, what they want, and where to look for them next.
On July 2, 2026, the FBI Cyber Division and DHS/CISA published FLASH-20260702-01, formally attributing the supply-chain campaign to TeamPCP — a handle the group has used publicly since at least December 2025 (PCPcat, @pcpcats, leak-site branding). Industry researchers (Unit 42, SANS, CSA, Trend Micro) have tracked them under that name for months; the flash is the first U.S. government advisory to put the label on the official record. We read the flash, pulled the public research trail, and ran our own pivots on the indicator set three days later. This dispatch is the bio, the FBI synthesis, and what we found that the flash does not emphasize.
Executive Summary
TeamPCP is a credential-centric supply chain predator. They do not phish developers with fake login pages. They trojanize the security and AI tooling inside CI/CD — Trivy, Checkmarx KICS, LiteLLM, Telnyx SDK, npm packages, Docker images — then harvest cloud access tokens, SSH keys, Kubernetes secrets, GitHub PATs, and LLM API keys at scale. Stolen publish tokens feed self-propagating worms (CanisterWorm, Mini Shai-Hulud / Miasma) that spread without further operator action.
The group also runs a double-extortion program: victim names on a Tor leak site, proof dumps via IPFS, negotiation over Tox/Session/SimpleX. Google Threat Intelligence Group tracks the operators as UNC6780. Industry reporting ties them to collaborations with Vect ransomware affiliates and claimed alliances with LAPSUS$-style extortion crews on high-profile data.
Intercept Cell addendum (2026-07-05): Most FBI-listed domains are dead or sinkholed, but `45.148.10.212` still serves Caddy vhosts for `checkmarx.zone` on port 80 even though the domain has no A record. Block the IP, not just the domain list.
Who They Are
| Field | Assessment |
|---|---|
| Primary name | TeamPCP / Team PCP |
| Tracking IDs | UNC6780 (Google GTIG), DeadCatx3, PCPcat, ShellForce, CipherForce, PersyPCP |
| Public persona | @pcpcats on X; cat/shell aesthetic on leak sites and GitHub defacements |
| Motivation | Financial — credential theft, data exfiltration, extortion |
| Skill profile | Supply chain tradecraft, CI/CD abuse, npm/PyPI worming, blockchain C2 experimentation |
| Victims named publicly | 16+ organizations per Unit 42; FBI cites ongoing leak-site publication |
TeamPCP is not a nation-state actor dressing up as criminals. They are operators who learned that the fastest path to enterprise cloud credentials runs through the tools meant to secure the pipeline. Their brand is juvenile on purpose — memes, defacements, BreachForums posts — but the mechanics are not: stolen tokens become autonomous propagation, and propagation becomes cluster-wide compromise.
Timeline
| Date | Event |
|---|---|
| Dec 2025 | PCPcat cloud credential scanner; early C2 on 67.217.57.240 |
| Feb 27, 2026 | First Trivy compromise via malicious GitHub Actions workflow; exfil to recv.hackmoltrepeat.com |
| Mar 19–24, 2026 | Second Trivy wave; SANDCLOCK stealer; SANS estimates 10,000+ CI/CD workflow runs exposed in this window |
| Mar 20–23, 2026 | CanisterWorm — 47+ npm packages; ICP blockchain canister C2; Aqua Security GitHub defacement |
| Mar 22–24, 2026 | Checkmarx KICS Docker Hub poison; LiteLLM PyPI 1.82.7/1.82.8; Telnyx SDK compromise |
| Apr 2026 | Campaign pause → monetization; Cisco source theft via stolen Trivy creds reported |
| Apr 21–22, 2026 | Return: KICS cascade into Bitwarden CLI via Dependabot; CanisterSprawl npm worm; xinference PyPI |
| May 2026 | Mini Shai-Hulud / Miasma waves — TanStack, AntV, OpenSearch, Mistral, UiPath; SLSA-attested malicious publishes |
| Jul 2, 2026 | FBI FLASH-20260702-01 published |
Malware Arsenal
SANDCLOCK ("TeamPCP Cloud Stealer")
Purpose-built credential harvester. Dumps GitHub Actions Runner.Worker process memory to capture secrets injected through Actions' secret-handling mechanism, then sweeps filesystems for SSH keys, ~/.aws, ~/.kube/config, Docker registry creds, and LLM keys (OPENAI_API_KEY, ANTHROPIC_API_KEY). Disguises exfil as telemetry POSTs to typosquatted monitoring domains.
CanisterWorm
Self-propagating npm worm. Steals npm publish tokens, resolves publishable packages, bumps patch versions, republishes poisoned copies with original READMEs intact. C2 via Internet Computer Protocol (ICP) canister at tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io — first documented use of ICP as supply-chain C2. Includes optional wiper component targeting Kubernetes (privileged DaemonSets) and bare-metal hosts. Masquerades as pgmon / PostgreSQL telemetry (~/.local/share/pgmon/service.py, /tmp/pglog).
Mini Shai-Hulud / Miasma
Cross-ecosystem npm/PyPI worm in the Shai-Hulud family. Creates GitHub dead-drops and unauthorized repos named `tpcp-docs` or `docs-tpcp` using stolen PATs. Intercept Cell mapped 83 live Miasma dead-drops in June 2026 (prior dispatch). Same operator ecosystem; different campaign marker.
How They Get In
TeamPCP's entry is almost always T1195.002 — Compromise Software Supply Chain:
1. Poison a trusted package or container image (Trivy, KICS, LiteLLM, etc.)
2. Developer or CI runner installs the update — looks normal
3. Stealer executes in runner memory / postinstall hooks
4. Tokens exfiltrated → npm/PyPI republish, GitHub repo creation, cloud API abuse
5. Worms propagate without operator touching each victim
6. Extortion if data is monetizable
CVEs cited in the FBI flash include CVE-2026-33634, CVE-2026-48027, CVE-2026-45321, and CVE-2025-55182 — treat these as exploited in campaign context, not as the whole story. The core play is trusted-tool trojanization, not a single RCE.
FBI FLASH-20260702-01 — What Defenders Should Carry Forward
The flash (published July 2, 2026) confirms:
- Scale: Large-scale compromises of developer and security tools
- Data at risk: Cloud tokens, SSH keys, Kubernetes secrets, API keys, crypto wallets
- Malware families: CanisterWorm, SANDCLOCK, Mini Shai-Hulud, Miasma
- GitHub hunt: Repos named `tpcp-docs` or `docs-tpcp` in your org
- Persistence: pgmon.service, sysmon.service, litellm_init.pth, archive **tpcp.tar.gz
- Extortion: Public leak site; collaboration with other criminal groups
- Immediate action: Rotate all CI/CD secrets, cloud creds, and publish tokens for environments that ran compromised versions — especially March 19–24, 2026
IOCs in the flash were sourced from Palo Alto Unit 42 and industry partners. The flash is TLP:CLEAR. Report suspected intrusions to FBI field offices or IC3.gov.
Intercept Cell Recon — Unreported & Under-Emphasized
We probed FBI-listed indicators on 2026-07-05 UTC. Most domains from the March–May waves are NXDOMAIN or sinkholed. That is good news — and a trap for defenders who block domains but not residual IPs.
HIGH — 45.148.10.212 still answers for checkmarx.zone
curl -sI -H 'Host: checkmarx.zone' http://45.148.10.212/
→ HTTP/1.1 308 Permanent Redirect
→ Location: https://checkmarx.zone/
→ Server: Caddy
checkmarx.zone has Route53 nameservers but no A record — DNS takedown without host cleanup. The IP remains routable. Block `45.148.10.212` at the firewall. Do not assume domain-only blocks cleared this infrastructure.
Flash-documented paths on this typosquat include:
- checkmarx.zone/raw — persistence dropper poll URL
- checkmarx.zone/static/checkmarxutil-1.0.4.tgz — malicious archive
HIGH — ICP canister neutralized but identifiable
tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io returns HTTP 451 with header x-ic-canister-id: tdtqy-oyaaa-aaaae-af2dq-cai. CanisterWorm's C2 channel is blocked; the canister ID remains a hunt pivot in proxy logs.
MEDIUM — litellm.cloud reclaimed
Apex domain resolves to `129.212.152.70` with a generic domain-notice parking page. `models.litellm.cloud` (flash C2 subdomain) has no DNS. Parent typosquat chain neutralized at registrar level.
MEDIUM — Co-hosted pivot on 94.154.172.43
Flash IP `94.154.172.43` reverse-resolves `deenfin.com` and `rcrconsulting.net` on the same host. Neither responded to HTTP probes from our vantage. Treat as co-location intelligence, not confirmed malicious domains, unless correlated in your logs.
MEDIUM — t.m-kosche.com DNS live, host filtered
Resolves `185.95.159.32`; TCP/443 timed out externally. Associated with Mini Shai-Hulud fake OpenTelemetry exfil (/api/public/otel/v1/traces). Keep on blocklists.
Leak site (reported, not Tor-verified here)
Multiple vendors reference TeamPCP's Tor DLS (successor to CipherForce branding):
22evxpggnkyrxpluewqsrv5j4jtde6hut2peq3w44d6ase676qlkoead.onion
We did not access Tor in this pass. Treat as reported intelligence from Trend Micro, Fortgale, and SANS diary coverage.
GitHub naming pivot
Public repo `driftline-labs/tpcp-docs` created 2026-03-24 (LiteLLM attack day). Matches FBI worm repo naming. Could be victim artifact or research sandbox — hunt in context, do not auto-block the org.
Infrastructure Map
[Developer installs poisoned Trivy/KICS/LiteLLM/npm package]
│
▼
[SANDCLOCK / stealer in CI runner memory]
│
┌─────┴─────┬──────────────┬────────────────┐
▼ ▼ ▼ ▼
[Cloud APIs] [GitHub PAT] [npm/PyPI token] [K8s secrets]
│ │ │ │
│ ▼ ▼ │
│ [tpcp-docs repos] [CanisterWorm] │
│ │ │ │
└───────────┴──────────────┴────────────────┘
│
▼
[Typosquat exfil domains]
checkmarx.zone · models.litellm.cloud · …
│
▼
[Tor leak site / extortion]
What To Hunt Today
Network
- Egress to `45.148.10.212` (live as of 2026-07-05)
- HTTP header `X-Filename: tpcp.tar.gz` (LiteLLM exfil gate)
- Fake telemetry to `t.m-kosche.com` / `audit.checkmarx.cx`
Endpoint / CI
- litellm_init.pth, LiteLLM_init.pth, router_init.js, mcpAddon.js in tool install paths
- ~/.local/share/pgmon/service.py, /tmp/pglog, /tmp/transformers.pyz
- systemd units: `pgmon.service`, `sysmon.service` ("System Telemetry Service")
GitHub
- Org repos named `tpcp-docs` or `docs-tpcp`
- Commits with message `LongLiveTheResistanceAgainstMachines`
- Unexpected `claude@users.noreply.github.com` commits outside your automation
Packages
- litellm==1.82.7 or 1.82.8 on PyPI (poisoned versions)
- Unexpected patch bumps on npm scopes you maintain after March 2026
If You Were Exposed
1. Rotate everything — cloud IAM, GitHub PATs, npm/PyPI tokens, LLM keys, SSH material — assume compromise if poisoned tools ran in CI
2. Audit GitHub orgs for tpcp-docs / docs-tpcp repos
3. Pin GitHub Actions to SHA, not floating tags
4. Rebuild runners from clean images — persistence survives token rotation if the host is still owned
5. Report to FBI if you have forensic material — IC3.gov
Treat exfiltrated credentials as long-lived risk. Affiliated groups including Vect may weaponize stolen material months after the initial supply-chain event.
IOC Summary (TLP:CLEAR)
IPs
| IP | Context | Status (2026-07-05) |
|---|---|---|
45.148.10.212 | checkmarx.zone C2 / exfil | LIVE — block |
83.142.209.11 | Flash listed | SSH/nginx; no vhost match |
83.142.209.194 | Flash listed | SSH only |
83.142.209.203 | Flash listed | SMB/445 |
94.154.172.43 | Flash listed / telemetry | Port 80; co-hosted domains |
67.217.57.240 | PCPcat-era C2 | Ports closed externally |
129.212.152.70 | litellm.cloud apex | Parking page (reclaimed) |
Domains (flash + pivots)
checkmarx.zone · models.litellm.cloud · git-tanstack.com · recv.hackmoltrepeat.com · scan.aquasecurtiy.org · audit.checkmarx.cx · check.git-service.com · t.m-kosche.com · litellm.cloud
Other
- ICP: tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io (451 blocked)
- Repos: tpcp-docs, docs-tpcp
- Archive: tpcp.tar.gz
- Onion DLS: 22evxpggnkyrxpluewqsrv5j4jtde6hut2peq3w44d6ase676qlkoead.onion (reported)
Confidence & Limitations
- HIGH: Live Caddy response on 45.148.10.212 for checkmarx.zone; ICP canister 451; FBI flash facts as published
- MEDIUM: Co-hosted domains on 94.154.172.43; driftline-labs/tpcp-docs naming correlation; Session seed infra used by worm family
- LOW / reported only: Tor leak site contents; full victim list; operator real-world identity
This dispatch extends public reporting — it does not replace the FBI flash or Unit 42 technical papers. Read those for complete hash lists and YARA.
Credits & Further Reading
- FBI FLASH-20260702-01 (PDF) — July 2, 2026
- Palo Alto Unit 42: Weaponizing the Protectors
- SANS white paper: When the Security Scanner Became the Weapon; ISC campaign diaries through June 2026 (Updates 001–008)
- CSA Research Notes: TeamPCP / UNC6780, CanisterWorm
- Intercept Cell: Miasma dead-drop dispatch (June 2026)
*Next in Know Your Adversary: TBD. Submit candidates via contact.*