Aliases
PCPcat, ShellForce, DeadCatx3, CipherForce
Tags
Attribution
💰Cybercrime
Incidents
TeamPCP Cloud-Native Campaign Targeting Exposed Control PlanesTrivy supply chain attackLiteLLM supply chain attackKICS supply chain attackXinference Compromised in Supply Chain AttackCheckmarx KICS and Bitwarden CLI Compromised in Fresh Supply Chain AttackSupply Chain Campaign Targets SAP npm Packages with Credential-Stealing MalwareLightning and Intercom Packages Compromised in Supply Chain AttackCompromise of Checkmarx Jenkins AST Plugin by TeamPCPTanstack and other Packages Compromised in Supply Chain AttackNew Mini-Shai-Hulud Wave Targets NPM, PyPi Packages and VSCode ExtensionTeamPCP Claims Breach of Internal GitHub Repositories
Last edited
May 20, 2026 10:47 AM
Status
Stub
Cloud-fluent
TeamPCP is a financially motivated threat actor specializing in cloud-native infrastructure compromise. First tracked in late 2025, the group conducts worm-driven campaigns targeting exposed Docker APIs, Kubernetes clusters, and CI/CD pipelines. Their operations combine supply chain poisoning with aggressive credential harvesting, using memory scraping techniques to extract secrets from GitHub Actions runners and cloud workloads. TeamPCP monetizes access through ransomware deployment, cryptomining, and extortion. The group demonstrates sophisticated operational security, leveraging ephemeral infrastructure including Cloudflare Tunnels, typosquatted domains, and ICP-hosted fallback C2.