Published
- 7 min read
By Allan D - Editor, AI Security Wire
TeamPCP (UNC6780): Inside the Supply Chain Worm Targeting AI Tools
Between March and May 2026, a financially motivated threat actor group ran the most consequential series of developer supply chain attacks publicly documented to date. TeamPCP, formally tracked as UNC6780 by Google’s Threat Intelligence Group and also reported under the aliases DeadCatx3, PCPcat, ShellForce, and CanisterWorm, compromised a Trivy security scanner release, backdoored LiteLLM on PyPI, deployed a self-propagating cross-ecosystem worm across 170+ packages, and ultimately exfiltrated approximately 3,800 internal GitHub repositories. The group specifically targeted AI developer tooling at each stage. Here is what happened.
Campaign One: The Trivy Compromise (CVE-2026-33634)
On March 19, 2026, TeamPCP used compromised credentials to push a malicious Trivy v0.69.4 release. More critically, they force-pushed 76 of the 77 version tags in the aquasecurity/trivy-action GitHub Actions workflow to point to credential-stealing code, and replaced all 7 tags in aquasecurity/setup-trivy. Every CI/CD pipeline pinned to a tag (rather than a full commit SHA) immediately began running the SANDCLOCK payload.
SANDCLOCK is a dedicated credential extraction tool. It targets Kubernetes ServiceAccount tokens, local environment variables, AWS credentials, GitHub tokens, and SSH keys. It exfiltrates over channels disguised as legitimate telemetry endpoints, mimicking monitoring service domains. Google’s Mandiant unit assessed more than 10,000 CI/CD workflow runs were affected before the compromise was detected and the tags were restored on March 25.
The vulnerability at the root of the attack is architectural rather than a software bug: mutable version tags in GitHub Actions are a known risk. A tag like uses: aquasecurity/[email protected] is a pointer, not a content hash. If the tag is moved, every future run picks up whatever the tag now points to. CISA has recommended pinning Actions to full commit SHAs for years; the scale of this compromise illustrates why the recommendation matters.
A secondary payload from the Trivy campaign was a Kubernetes wiper deployed to some affected environments alongside the credential stealer. Organisations with RBAC-misconfigured Kubernetes clusters that ran Trivy in CI against container registries reported cluster data wiped in addition to credential theft.
Campaign Two: LiteLLM on PyPI (March 24, 2026)
Five days after the Trivy compromise began, TeamPCP extended to LiteLLM, the widely deployed AI proxy that routes requests across OpenAI, Anthropic, Azure, and other LLM APIs. Versions 1.82.7 and 1.82.8 were published to PyPI containing a three-stage payload: credential harvesting, Kubernetes lateral movement, and a persistent remote code execution backdoor.
The poisoned versions were live on PyPI from approximately 10:39 UTC on March 24 for around 40 minutes before PyPI security responded and quarantined them. Forty minutes is long enough. Any automated dependency update process, any fresh Docker build in that window, any developer running pip install litellm pulled the malicious versions.
The choice of LiteLLM is strategically deliberate. An LiteLLM proxy instance holds API keys for every LLM provider it fronts. Credential harvesting from a compromised LiteLLM deployment typically yields multiple high-value API credentials simultaneously: production OpenAI or Anthropic API keys, Azure OpenAI credentials, and AWS credentials for Bedrock. The attack converts LiteLLM from a trust aggregation point into a credential exfiltration target.
TeamPCP also compromised the LiteLLM ecosystem on Trivy’s path — several downstream packages that depended on LiteLLM and had version constraints that accepted the poisoned releases were affected. Trend Micro documented the lateral spread path.
Campaign Three: Mini Shai-Hulud (May 2026)
The May campaign was distinct in method. Mini Shai-Hulud, the name given to the third TeamPCP campaign wave, is a self-propagating supply chain worm. Between May 11 and May 19, 2026, it compromised 170+ npm and PyPI packages with a combined download count exceeding 518 million. Affected packages included TanStack Query, Mistral AI’s Python SDK, and Guardrails AI.
The worm’s propagation mechanism is what separates it from prior supply chain attacks. After infecting a maintainer’s CI/CD environment via a compromised dependency, it uses the harvested GitHub tokens and npm/PyPI publish credentials to publish poisoned minor version increments of other packages maintained by that developer or organisation. Each newly compromised package extends the infection radius. The campaign required no human operator involvement after initial deployment.
Two technical capabilities made this possible at scale. First, TeamPCP demonstrated the ability to forge SLSA Build Level 3 provenance attestations, defeating an integrity control many organisations had deployed specifically in response to prior supply chain attacks. Second, the worm extracted OIDC tokens directly from GitHub Actions runner process memory, bypassing the standard environment variable access controls that GitHub Actions uses to protect secrets.
The worm also injected persistence hooks into Claude Code and VS Code on infected developer machines, ensuring SANDCLOCK would survive reboots and continue exfiltrating credentials from the developer’s local environment independently of any package the developer subsequently published.
On May 12, 2026, during the active campaign, TeamPCP published the Shai-Hulud worm source code to GitHub under an MIT License with the message “Shai-Hulud: Open Sourcing The Carnage.” The repository was taken down within hours, but the source code had already propagated.
The GitHub Breach (May 18, 2026)
The final publicly confirmed escalation of the spring campaign came on May 18. A trojanized build of Nx Console v18.95.0, an Angular and React project management extension with a verified publisher badge and approximately 2.2 million installs, was live on Visual Studio Marketplace for 18 minutes. A GitHub employee applied a routine extension update during that window.
The harvested credentials proved sufficient to exfiltrate approximately 3,800 internal GitHub source code repositories. SANS ISC reported that Cisco source code was also stolen via a Trivy-linked breach during the broader campaign. The FBI issued a public advisory warning that TeamPCP operations put developer environments and cloud credentials at systemic risk.
SANDCLOCK Indicators and Tooling
SANDCLOCK exhibits several consistent detection patterns across the campaign waves:
- DNS queries to domains mimicking monitoring services (patterns include
telemetry-[vendor]-[region].netandmetrics-collector-[product].io) resolving to unfamiliar infrastructure - Subprocess execution of
env,printenv, andcat ~/.aws/credentialsshortly after package import - Outbound connections to
api.cloudflare.comwith unusual HTTP headers used as a covert exfiltration channel in some variants .bashrcand.zshrcmodifications adding encoded base64 commands (the VS Code/Claude Code persistence mechanism)
Yara rules and SIGMA detections for SANDCLOCK variants are published in the accompanying CISA advisory from late May 2026.
Defensive Priorities
Pin GitHub Actions to commit SHAs, not tags. This is the direct lesson from the Trivy campaign. Tags are mutable. A tag-pinned Action is only as trustworthy as whoever controls the tag at runtime. The format is: uses: aquasecurity/trivy-action@a13a3f4... with the full SHA. Dependabot and Renovate can automate SHA pin maintenance.
Scope CI/CD pipeline secrets tightly. A Trivy scan workflow does not need write access to a production Kubernetes cluster. The SANDCLOCK Kubernetes lateral movement was only possible where CI/CD credentials carried cluster permissions far beyond the scan use case. Audit secret scopes and rotate any credentials exposed in pipeline runs between March 19 and May 25.
Audit VS Code extensions installed in May 2026. If any developer machine applied a Nx Console update between 10:00 and 10:18 UTC on May 18, treat the machine as potentially compromised. Remove the extension, rotate all credentials accessible from that environment, and review for SANDCLOCK persistence indicators in shell configuration files.
Treat SLSA attestation as a necessary but not sufficient control. Mini Shai-Hulud demonstrated that SLSA Build Level 3 attestations can be forged given sufficient access to the build environment. Attestation remains valuable; it should be combined with package lock files, dependency pinning, and runtime monitoring rather than treated as a standalone integrity guarantee.
Monitor for AI credential exposure specifically. LLM API keys harvested from compromised developer environments have a large blast radius: they can fund compute-intensive attacks, enable model theft, or be sold on underground markets. LLM provider APIs should be treated as high-value credentials on par with cloud console access. Rotate them on a regular schedule and set usage alerts.
The FBI and CISA advisories from May 2026 include the full indicator list and a coordinated disclosure timeline. The TeamPCP campaign represents the most complete demonstration to date of how developer tool supply chains, AI infrastructure, and credential harvesting can be chained into a persistent, self-propagating threat.
Frequently Asked Questions
- What distinguishes TeamPCP from typical supply chain threat actors?
- TeamPCP built a self-propagating worm (Mini Shai-Hulud) that crosses ecosystem boundaries autonomously — spreading from a compromised npm package into PyPI, GitHub Actions, Docker Hub, VS Code, and Kubernetes without requiring human operator involvement after initial seeding. The group also demonstrated the ability to forge SLSA Build Level 3 provenance attestations, defeating a supply chain integrity control many enterprises treat as authoritative. Most supply chain attackers operate within one ecosystem; TeamPCP treats the entire developer toolchain as a single attack surface.
- Why did TeamPCP specifically target LiteLLM and Trivy?
- Both packages sit at high-privilege positions in developer pipelines. Trivy runs in CI/CD as a trusted security scanner with access to environment secrets; compromising it means every pipeline that runs Trivy is a potential credential extraction point. LiteLLM is a widely deployed AI gateway proxy that handles API keys for multiple LLM providers — credentials harvested from a compromised LiteLLM instance typically include OpenAI, Anthropic, Azure, and AWS credentials simultaneously. Targeting security and AI infrastructure rather than application code gives access to credentials with outsized downstream reach.
- What should security teams prioritise in response to the TeamPCP campaigns?
- Pin all GitHub Actions to full commit SHAs rather than mutable version tags — this is the root cause of the Trivy campaign's scale. Audit PyPI packages with versions installed between March 19 and May 25, 2026 for SANDCLOCK indicators. Remove any VS Code extensions installed during the May 18 window if a Nx Console update was applied on that date. Review CI/CD secret scoping: pipeline secrets should be scoped to minimum required permissions and rotated after any suspected exposure. CISA and FBI advisories from late May 2026 include indicators of compromise for SANDCLOCK.