Cyber Criminal Group TeamPCP
The Federal Bureau of Investigation (FBI) has released an alert to highlight the tactics, techniques, and
procedures (TTPs) and indicators of compromise (IOCs) associated with the cyber criminal group
TeamPCP.
TeamPCP actors have conducted large-scale software supply chain compromises by targeting
widely used developers and security tools, gaining access to victim environments and extracting sensitive
data, including but not limited to cloud access tokens, SSH keys, and Kubernetes secrets. The FBI
encourages organizations to contact the FBI if they have been compromised, and to implement the actions
in the Recommendations section to reduce the likelihood and impact of compromise by TeamPCP actors.
In 2026, TeamPCP compromised trusted software distribution channels by injecting malicious code into
legitimate packages to modify software components and development dependencies. This allowed the
threat actors to push trojanized updates that appeared normal but secretly installed credential-stealing
malware and persistent backdoors, giving the threat actors persistent access to developer environments
and downstream systems.
TeamPCP modified tools including, but not limited to, Trivy, KICS, LiteLLM, and the Telnyx Python SDK.
These tools are commonly integrated into enterprise development continuous integration (CI)/continuous
delivery (CD) pipelines, cloud infrastructure, and security workflows. By weaponizing these supply chain
entry points, the threat actors were able to introduce malicious code into victim environments at scale.
TeamPCP has also engaged in extortion and collaboration with cyber actors from other threat actor
groups, including publishing victim names on a public leak site and threatening disclosure of stolen data.
Organizations impacted by this campaign should treat exfiltrated data and credentials as a persistent risk,
as affiliated threat actors are likely to weaponize them long after the initial compromise.
Further details including all IOC’s at – https://www.ic3.gov/CSA/2026/260702.pdf

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.
