FBI Warns of TeamPCP Supply Chain Attacks Impacting Widely Used Software Tools

The Federal Bureau of Investigation (FBI) has issued a FLASH on the cybercriminal group TeamPCP, which has carried out large-scale software supply chain compromises by targeting widely used developers and security tools. The group has infiltrated victim environments and extracted sensitive data, including cloud access tokens, SSH keys, and Kubernetes secrets. TeamPCP has also engaged in extortion and collaboration with cyber actors from other threat actor groups, publishing victim names on a public leak site and threatening to release stolen data.

In 2026, TeamPCP compromised trusted software distribution channels by injecting malicious code into legitimate packages to modify software components and development dependencies. This allowed the threat actors to push trojanized updates that appeared normal but secretly installed credential-stealing malware and persistent backdoors, giving the threat actors persistent access to developer environments and downstream systems.

TeamPCP modified tools including, but not limited to, Trivy, KICS, LiteLLM, and the Telnyx Python SDK. These tools are commonly integrated into enterprise development continuous integration (CI)/continuous delivery (CD) pipelines, cloud infrastructure, and security workflows. By weaponizing these supply chain entry points, the threat actors were able to introduce malicious code into victim environments at scale. TeamPCP has also engaged in extortion and collaboration with cyber actors from other threat actor groups, including publishing victim names on a public leak site and threatening disclosure of stolen data. Organizations impacted by this campaign should treat exfiltrated data and credentials as a persistent risk, as affiliated threat actors are likely to weaponize them long after the initial compromise.

The FBI encourages organizations to contact the FBI if they have been compromised, and to implement the actions in the Recommendations section to reduce the likelihood and impact of compromise by TeamPCP actors.

Read the full FBI Flash here.

The Government Technology & Services Coalition's Homeland Security Today (HSToday) is the premier news and information resource for the homeland security community, dedicated to elevating the discussions and insights that can support a safe and secure nation. A non-profit magazine and media platform, HSToday provides readers with the whole story, placing facts and comments in context to inform debate and drive realistic solutions to some of the nation’s most vexing security challenges.

Related Articles

Latest Articles