logo

FBI Says TeamPCP Uses Trojanized Updates to Steal Cloud Tokens, SSH Keys, and Kubernetes Secrets

ID: b31d3725-5cff-5610-a945-65ec360414c2

STIX ID: report--b31d3725-5cff-5610-a945-65ec360414c2

Feed Name: GBHackers

Threat Score
90/100

Date Published: 2026-07-03

Date Updated: 2026-07-03

Author: Mayura Kathir

...
...

The FBI warns that TeamPCP conducted a sophisticated 2026 software supply-chain campaign by injecting malicious code into widely used tooling (notably Trivy, KICS, LiteLLM, and the Telnyx Python SDK) to harvest cloud access tokens, SSH keys, Kubernetes secrets and LLM API keys at scale; multiple self-propagating malware components exfiltrated encrypted credentials across npm/PyPI and CI/CD environments, with technical indicators and immediate mitigation steps (rotate secrets, pin to commit SHAs, enforce least privilege and phishing-resistant MFA, and search for repos created by the worm) provided.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.