TeamPCP Hit 5 Software Ecosystems in One Week. Here's What Every Security Professional Needs to Know.

In March 2026, a single threat actor group compromised five major software ecosystems inside one week. GitHub Actions. Docker Hub. npm. VS Code. PyPI. Ten thousand CI/CD pipelines ran malicious code while their dashboards showed green checkmarks. A vulnerability scanner with 97 million downloads became a credential harvester. An AI agent was deployed to automate the targeting.

This wasn’t a proof-of-concept. It was a coordinated, multi-phase supply chain campaign that exposed critical gaps in how organizations trust their development tools — and it has permanently shifted what hiring managers are looking for in security professionals.

Here’s what happened, why it worked, and which career skills just became invaluable.

The Scope: Five Ecosystems, Seven Days

The group operates under multiple identities — TeamPCP, PCPcat, ShellForce, and DeadCatx3 — suggesting an organized crew rather than a lone actor. Their March 2026 campaign hit:

GitHub Actions — Trivy (CVE-2026-33634, CVSS 9.4) and KICS vulnerability scanners
Docker Hub — compromised container images distributed through official-looking repositories
npm — 64+ packages infected via an autonomous worm called CanisterWorm
VS Code / OpenVSX — Checkmarx security plugins with a combined install base in the hundreds of thousands
PyPI — LiteLLM, the AI gateway library with 97 million downloads

Five ecosystems. Seven days. The breadth isn’t coincidence — it’s a strategy.

Why These Tools? The Target Selection Logic

Security tooling sits at the intersection of maximum trust and maximum access.

A vulnerability scanner like Trivy needs to read your entire codebase to do its job. It runs inside your CI pipeline, often with access to environment variables, secrets, and cloud credentials. An LLM gateway like LiteLLM manages every AI API key your organization uses — OpenAI, Anthropic, AWS Bedrock, all of them. IDE extensions run inside developer machines with file system access.

TeamPCP didn’t target your application. They targeted the tools that touch everything your application touches.

This is the core insight that makes supply chain attacks so dangerous: compromise the tool, inherit everything it accesses. Firewalls, DLP, EDR — none of it is positioned between your Trivy scan and your secrets.

The Trivy Exploit: Tag Mutation at Scale

CVE-2026-33634 (CVSS 9.4) is a masterclass in attacking developer trust assumptions.

GitHub Actions are typically referenced by tag — uses: aquasecurity/[email protected]. Developers assume that pinning to a version tag is safe. TeamPCP exploited that assumption by mutating tags to point to malicious commits with no visible name change. The tag still read v0.28.0. The commit hash behind it had changed.

More than 10,000 CI/CD workflows pulled the malicious action. Jobs ran normally, returned success statuses, and appeared in logs exactly as expected — while simultaneously exfiltrating secrets to attacker infrastructure in the background. Developers saw green. Attackers saw everything.

The detection challenge here is significant: hash verification would catch this (the commit SHA changed), but the overwhelming majority of pipelines verify only the tag string. This gap is now a documented, exploited attack vector.

CanisterWorm: AI-Powered, Unkillable C2

The npm component of this campaign introduces two genuinely novel capabilities that will define threat intelligence work for years.

CanisterWorm is a self-propagating npm worm that uses stolen npm tokens to spread from package to package autonomously. Once it compromised its initial targets, it used those packages’ own publishing credentials to infect their dependencies — 64+ packages in this wave, with each infection creating new vectors.

What makes it technically remarkable:

ICP-based C2: CanisterWorm uses the Internet Computer Protocol (ICP) as its command and control infrastructure. ICP is a decentralized blockchain-based compute platform. There are no domain names to seize, no hosting providers to contact, no CDN to blacklist. Traditional C2 takedown playbooks — contact the registrar, suspend the domain, block the IP — don’t apply here. The C2 infrastructure is cryptographically sovereign.

AI-assisted targeting: CanisterWorm used an AI agent (specifically, the openclaw framework) to automate attack targeting decisions. This is one of the first documented cases of an AI agent being deployed operationally in a supply chain attack — not as a research concept, but as live attack infrastructure making autonomous decisions about which packages to target next.

The implications for the threat intelligence community are significant. We need new frameworks for C2 infrastructure that doesn’t have a registrar, and new detection approaches for attacks where the targeting logic itself is adaptive.

The Kubernetes Wiper: Geopolitics in the Payload

Inside the LiteLLM payload, researchers found a particularly notable piece of logic: a geopolitical kill switch.

The malware checks the victim system’s timezone and locale settings. If it detects an Iranian environment, it drops a “kamikaze” Kubernetes DaemonSet — a configuration that schedules a destructive pod on every node in the cluster simultaneously. Each pod mounts the host filesystem and wipes it completely before forcing a reboot. Total cluster destruction, coordinated across every node at once.

This is nation-state-style targeting logic embedded in a tool distributed via the public Python Package Index. An enterprise LiteLLM deployment in Tehran doesn’t just lose credentials — it loses everything. The targeting is surgical: everyone else gets credential theft, Iranian operators get infrastructure annihilation.

Geopolitical intent baked into malware marks a significant evolution in supply chain attack sophistication. These aren’t opportunistic criminals — they’re actors with geopolitical objectives who happen to also be running credential theft operations.

The Lapsus$ Connection

TeamPCP doesn’t work alone. The same week, Wiz researchers noted evidence of a working relationship with Lapsus$, the extortion group responsible for breaches at Nvidia, Microsoft, Samsung, and others.

The division of labor is efficient: TeamPCP harvests credentials at scale through supply chain compromises; Lapsus$ converts those credentials into ransomware payments and extortion revenue. The AstraZeneca breach — with 3GB of data allegedly stolen — was attributed to this same timeframe.

Wiz described it as a “dangerous convergence between supply chain attackers and high-profile extortion groups.” This matters for incident response: if you’re cleaning up a supply chain compromise today, you may be racing Lapsus$ to change credentials before they’ve been used for extortion.

Leadership Transition: The Operation Continues

In a Telegram post, the group’s founder signed off using the handle -DMT, announcing a leadership handover. This has sometimes been misread as the group disbanding.

It isn’t. The operation continues under new leadership. The infrastructure, the tooling, the CanisterWorm codebase, the Lapsus$ relationships — none of that goes away when a founder exits. This is a leadership transition for an ongoing criminal organization, not a shutdown.

Organizations that relaxed monitoring after the -DMT post likely made a mistake.

What This Means for Security Careers

This campaign created or accelerated demand for several specific skill sets. Here’s what hiring managers are now prioritizing:

Supply Chain Security Engineering

SLSA (Supply Chain Levels for Software Artifacts) and SBOM (Software Bill of Materials) were already trending. This campaign moved them from “nice to have” to “required for regulated industries.” Engineers who can implement provenance verification, maintain SBOMs at build time, and enforce SLSA level 2+ controls are now in acute demand. The Trivy exploit — where a tag pointed to a malicious commit — is exactly what SLSA artifact attestation is designed to catch.

GitHub Actions Hardening

Three actionable controls that would have limited the blast radius of this campaign:

Pin actions to commit SHA, not tags. uses: aquasecurity/trivy-action@abc123def... cannot be silently mutated.
Use OIDC instead of stored secrets. If your CI job uses a short-lived OIDC token rather than a long-lived secret, there’s nothing durable to exfiltrate.
Restrict secret access by job and step. The principle of least privilege applied to pipelines: if the vulnerability scanner step doesn’t need PyPI credentials, it shouldn’t have them.

These controls are immediately marketable. Add them to your resume, implement them in your current role, and be prepared to explain them in interviews.

Behavioral Detection

The detection gap in this campaign is instructive. Hash verification failed because most pipelines don’t do it. Static signatures failed because the malicious code used legitimate-looking package infrastructure. Domain reputation failed because C2 ran on ICP.

What works: behavioral detection. Unusual subprocess spawning from within a dependency install. .pth files appearing in site-packages (MITRE ATT&CK T1546.018 — Python Startup Hooks). Unexpected outbound network connections originating from build processes. If your Python environment suddenly makes HTTP requests to ICP endpoints, that’s detectable regardless of whether you’ve seen the malware signature before.

Security engineers who can build and tune behavioral detection rules — especially for CI/CD environments — are commanding premium salaries right now.

Threat Actor Attribution

TeamPCP was trackable. The same RSA key appeared across multiple phases of the campaign. Filenames followed consistent patterns: tpcp.tar.gz showing up across otherwise unconnected packages. Infrastructure overlaps connected what appeared to be separate campaigns.

This is exactly how threat intelligence professionals build actor profiles. Consistent TTPs — even when the actor thinks they’re operating under different identities — create attribution threads. If you can demonstrate that you know how to identify these overlaps, you’re showing exactly the skill that Mandiant, CrowdStrike, and internal enterprise TI teams are hiring for.

Enterprise AI Security

Every enterprise running LiteLLM, DSPy, CrewAI, or any other AI framework that proxies through LiteLLM was potentially affected. That’s a large and rapidly growing population — enterprise AI adoption has been explosive, and LiteLLM is the de facto API aggregation layer for many of these deployments.

Enterprise AI security is the fastest-growing specialty in the field right now. This incident will accelerate that hiring. If you have both security fundamentals and practical LLM/AI infrastructure knowledge, you are in the most favorable job market position in this industry.

The Skills Employers Are Now Asking About

To summarize what this campaign surfaced as concrete, demonstrable skills:

SBOM generation and verification at build time
SLSA artifact attestation (levels 2-3 for critical build paths)
GitHub Actions security — SHA pinning, OIDC credential management, step-level access control
MITRE ATT&CK T1546.018 — Python Startup Hooks detection and remediation
ICP/decentralized C2 analysis (emerging; relatively few practitioners have this)
Threat actor attribution using infrastructure overlap and TTP consistency
Behavioral detection in CI/CD environments — subprocess monitoring, network connection analysis, file system anomaly detection