Stealing the Pipeline: Inside the Global CI/CD Supply Chain Breach Orchestrated by TeamPCP

It started as a whisper in security circles: trusted developer tools behaving strangely, cloud credentials leaking, and malware spreading faster than teams could revoke access. The reality was far worse - a highly organized criminal syndicate, TeamPCP, had infiltrated the very backbone of the software supply chain, launching a sophisticated, multi-stage attack that rippled across the globe.

Fast Facts

• Attackers exploited vulnerabilities in CI/CD infrastructure (notably CVE-2026-26189 and CVE-2026-33634).
• Industry-standard tools compromised include Aqua Trivy, Checkmarx KICS, and BerriAI LiteLLM.
• Over 300 GB of cloud credentials and secrets exfiltrated, according to attackers.
• Malware CanisterWorm enabled self-propagating infections via npm and PyPI ecosystems.
• Attackers used decentralized C2 infrastructure, making takedown extremely difficult.

The Anatomy of a Supply Chain Nightmare

The breach was neither simple nor opportunistic. TeamPCP systematically targeted vulnerabilities in continuous integration and deployment (CI/CD) architectures, exploiting flaws in credential rotation and the mutability of Git tags. By manipulating version tags to point to malicious, orphaned commits, they injected credential-stealing code into trusted binaries and container images - often masquerading as legitimate contributors through sophisticated commit spoofing.

Once inside, the attackers deployed advanced memory-scraping malware directly into CI/CD runners. This allowed them to siphon cloud provider keys, SSH credentials, and Kubernetes tokens in plaintext, bypassing traditional endpoint security. Unlike standard malware, this payload never touched disk, operating solely in memory and extracting secrets by reading process memory paths like /proc/<pid>/mem.

The campaign didn’t stop at a single ecosystem. Python’s LiteLLM package on PyPI was compromised using stolen credentials, while npm namespaces such as @EmilGroup and @opengov saw malicious packages auto-published by the self-propagating CanisterWorm. Key to TeamPCP’s persistence was their use of decentralized “Canisters” on the Internet Computer Protocol (ICP) for command and control - blending seamlessly into legitimate cloud traffic and evading takedown efforts.

A critical misstep by defenders - a non-atomic approach to credential revocation - allowed TeamPCP to maintain access even as organizations tried to rotate secrets, intercepting new credentials at the moment of their creation and distribution.

Who Was Affected?

The fallout was widespread: affected versions of Aqua Trivy, Checkmarx KICS, and BerriAI LiteLLM, as well as GitHub Actions workflows and npm packages published between March 19 and 26, 2026. Any organization relying on these tools or packages during that window faces a high risk of compromise.

What Can Be Done?

Experts urge immediate cryptographic pinning of dependencies (using commit hashes, not mutable tags), comprehensive credential invalidation and rotation, strict network restrictions to block known C2 domains, and runtime monitoring for memory scraping on CI/CD runners. Above all, organizations must recognize that even security tools themselves can become attack vectors.

Reflections: When Trust Becomes a Target

The TeamPCP campaign is a chilling reminder: in the world of cloud-native development, trust is both a cornerstone and a vulnerability. As attackers grow bolder and supply chain attacks escalate, the industry must rethink not just how it builds software, but how it defends the invisible pipelines that power the digital world.

WIKICROOK

• CI/CD: CI/CD automates software testing and deployment, allowing teams to deliver code changes quickly, safely, and efficiently with minimal manual intervention.
• Credential Stealer: A credential stealer is malware designed to locate and steal passwords, digital keys, or authentication tokens from a victim’s computer or device.
• Git Tag: A Git tag is a static label pointing to a specific commit, often used to mark release versions and manage software development milestones.
• Command and Control (C2): Command and Control (C2) is the system hackers use to remotely control infected devices and coordinate malicious cyberattacks.
• Memory Scraping: Memory scraping is a cyberattack that steals sensitive data from a computer’s active memory, often before the data is encrypted or securely stored.