TeamPCP Supply Chain Campaign: A March 2026 Retrospective
ID: 6a17e7d8-c0c9-5aa7-9d64-027217ea28a0
STIX ID: report--6a17e7d8-c0c9-5aa7-9d64-027217ea28a0
Feed Name: OpenSourceMalware Blog
Date Published: 2026-03-26
Date Updated: 2026-06-20
Author: cb482791-4ef1-4762-96ad-b0ca4bdd538e
TeamPCP executed a high-speed, multi-phase supply-chain campaign in March 2026 that began with a stolen Trivy CI PAT and led to poisoned GitHub Actions, malicious releases across GitHub Releases, Docker registries, npm and PyPI packages (including litellm and telnyx), internal org defacements, and credential exfiltration to attacker-controlled C2 infrastructure; the operation combined automated propagation (CanisterWorm), credential harvesting, package backdoors/stealers, and a geotargeted Iran wiper, with numerous IOCs and remediation guidance provided.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
