TeamPCP Cloud stealer
TeamPCP Cloud Stealer is an information-stealing malware payload used by the TeamPCP threat group in a March 2026 multi-ecosystem software supply chain campaign. It was deployed through compromised developer and security tooling including Aqua Security Trivy and its GitHub Actions, Checkmarx KICS and AST GitHub Actions and related OpenVSX extensions, and malicious LiteLLM PyPI releases. The malware is repeatedly described as purpose-built for CI/CD runner environments and self-identifies through the embedded string "TeamPCP Cloud stealer," which is cited as a key attribution marker. TeamPCP is also tracked as DeadCatx3, PCPcat, and ShellForce.
Its core behavior is credential and secret harvesting. Reported collection targets include GitHub Actions Runner.Worker process memory, SSH keys, Git credentials, AWS, Google Cloud, and Microsoft Azure credentials, Kubernetes tokens and secrets, Docker credentials, .env files, database credentials, CI/CD configurations, TLS private keys, VPN data, Slack and Discord webhook URLs, and cryptocurrency wallet data including Solana wallets. Multiple reports state it dumps runner memory via /proc/*/mem, searches more than 50 filesystem paths for secrets, queries the AWS Instance Metadata Service at 169.254.169.254 for IAM credentials, and performs host reconnaissance with commands such as hostname, pwd, whoami, uname -a, ip addr, and printenv.
The malware preserves normal tool functionality while stealing data, helping infected Trivy, GitHub Actions, and LiteLLM components appear to operate normally. Stolen data is commonly archived as tpcp.tar.gz, encrypted with AES-256 or AES-256-CBC and RSA-4096 hybrid encryption, and exfiltrated to attacker-controlled infrastructure. Reported exfiltration endpoints include scan.aquasecurtiy[.]org, checkmarx[.]zone, and models.litellm[.]cloud. Several reports also describe fallback exfiltration by creating GitHub repositories named tpcp-docs or docs-tpcp inside victim organizations and uploading stolen data there.
Additional behavior reported in some deployments includes persistence and follow-on payload retrieval. The malicious Trivy binary reportedly attempted persistence on developer machines by writing ~/.config/systemd/user/sysmon.py and creating a systemd user service. The LiteLLM variant reportedly installed a disguised systemd user-service backdoor and, in version 1.82.8, a litellm_init.pth file that caused execution whenever Python started. Some reporting also states the LiteLLM variant attempted Kubernetes lateral movement by deploying privileged pods across cluster nodes.
The malware was associated with supply chain compromises tracked in the content under CVE-2026-33634 for the Trivy-related campaign, and was linked to downstream victim intrusions affecting organizations that used compromised versions during March 2026. High-confidence indicators mentioned in the content include scan.aquasecurtiy[.]org, checkmarx[.]zone, models.litellm[.]cloud, 45.148.10.212, 83.142.209.11, 83.142.209.203, the archive name tpcp.tar.gz, and attacker-created GitHub repositories named tpcp-docs or docs-tpcp.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
On 19 March, TeamPCP launched a coordinated multi-channel attack that resulted in CVE-2026-33634, a supply chain compromise affecting the official Trivy distribution infrastructure. | Deployed "TeamPCP Cloud Stealer", a purpose-built payload designed for CI/CD runner environments that dumped process memory from the GitHub Actions runner, swept SSH keys, cloud provider credentials, and Kubernetes secrets, then encrypted and exfiltrated the collected data using AES-256 and RSA-4096 to attacker-controlled servers.
Their malware consistently self-identifies through an embedded string, “TeamPCP Cloud stealer,” which has become one of the clearest attribution markers across all campaign phases.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Security analysts have linked the activity to the TeamPCP threat group, which has conducted a series of supply chain attacks targeting developer platforms including GitHub, PyPI, npm, and Docker. The group is known for deploying a credential-harvesting tool referred to as the TeamPCP Cloud Stealer.
When the infected software runs, the TeamPCP Cloud Stealer searches the system memory and files for digital master keys that allow access to a company’s servers. It specifically hunts for Kubernetes tokens and Solana cryptocurrency wallets.
The malware self-identifies as TeamPCP Cloud stealer in a Python comment on the final line of the embedded filesystem credential harvester.
Techniques & procedures
26 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniques
Initial Access
Cisco Systems... experienced a cyberattack in which threat actors infiltrated its internal development environment using stolen credentials obtained through a recent supply chain compromise... During the incident, attackers obtained multiple Amazon Web Services keys and used them to carry out unauthorized activities across a limited number of Cisco cloud accounts.
During the incident, attackers obtained multiple Amazon Web Services keys and used them to carry out unauthorized activities across a limited number of Cisco cloud accounts.
The TeamPCP hacking group continues its supply-chain rampage, now compromising the massively popular "LiteLLM" Python package on PyPI... threat actors compromised the project and published malicious versions of LiteLLM 1.82.7 and 1.82.8 to PyPI today that deploy an infostealer.
Execution
5 techniques
Execution
Version 1 - Monolithic Architecture : A 150-line bash script focused on environment fingerprinting and immediate credential harvesting...
Like in the case of Trivy, the threat actors have been found to force-push tags to malicious commits containing the stealer payload ('setup.sh'). ... They have also been observed targeting Kubernetes clusters with a malicious shell script that wipes all machines when it detects systems matching the Iranian time zone and locale.
The dropper sleeps 5 minutes, then polls the ICP blockchain-hosted C2 for a second-stage payload URL, downloads it to /tmp/pglog, and executes it.
Persistence
4 techniques
Persistence
Version 1.82.8 introduces a more aggressive feature that installs a '.pth' file named 'litellm_init.pth' to the Python environment. Because Python automatically processes all '.pth' files when the interpreter starts, the malicious code would be executed whenever Python is run.
Cisco Systems... experienced a cyberattack in which threat actors infiltrated its internal development environment using stolen credentials obtained through a recent supply chain compromise... During the incident, attackers obtained multiple Amazon Web Services keys and used them to carry out unauthorized activities across a limited number of Cisco cloud accounts.
During the incident, attackers obtained multiple Amazon Web Services keys and used them to carry out unauthorized activities across a limited number of Cisco cloud accounts.
The cloud stealer payload also includes an additional base64 encoded script that is installed as a systemd user service disguised as a "System Telemetry Service," which periodically contacts a remote server at checkmarx[.]zone to download and execute additional payloads.
Privilege Escalation
4 techniques
Privilege Escalation
Version 1.82.8 introduces a more aggressive feature that installs a '.pth' file named 'litellm_init.pth' to the Python environment. Because Python automatically processes all '.pth' files when the interpreter starts, the malicious code would be executed whenever Python is run.
Cisco Systems... experienced a cyberattack in which threat actors infiltrated its internal development environment using stolen credentials obtained through a recent supply chain compromise... During the incident, attackers obtained multiple Amazon Web Services keys and used them to carry out unauthorized activities across a limited number of Cisco cloud accounts.
During the incident, attackers obtained multiple Amazon Web Services keys and used them to carry out unauthorized activities across a limited number of Cisco cloud accounts.
The cloud stealer payload also includes an additional base64 encoded script that is installed as a systemd user service disguised as a "System Telemetry Service," which periodically contacts a remote server at checkmarx[.]zone to download and execute additional payloads.
Stealth
5 techniques
Stealth
The malicious code was injected into 'litellm/proxy/proxy_server.py' as a base64 encoded payload, which is decoded and executed whenever the module is imported.
Egress traffic was routed via POST requests to typosquatted domains designed to blend into manual log reviews scan.aquasecurtiy[.]org for Trivy, and checkmarx.zone (83.142.209.11) or audit.checkmarx.cx for Checkmarx.
Cisco Systems... experienced a cyberattack in which threat actors infiltrated its internal development environment using stolen credentials obtained through a recent supply chain compromise... During the incident, attackers obtained multiple Amazon Web Services keys and used them to carry out unauthorized activities across a limited number of Cisco cloud accounts.
Credential Access
7 techniques
Credential Access
Deployed 'TeamPCP Cloud Stealer', a purpose-built payload designed for CI/CD runner environments that dumped process memory from the GitHub Actions runner...
The Trivy breach also affected the LiteLLM open-source Python library in an attack that infected tens of thousands of devices with its "TeamPCP Cloud Stealer" information-stealing malware.
The worm steals an npm token, then automatically republishes itself into every package that token can touch.
...swept SSH keys, cloud provider credentials, and Kubernetes secrets...
A 150-line bash script focused on environment fingerprinting and immediate credential harvesting from AWS/GCP/Azure credentials using the compromised endpoint’s instance metadata service (IMDS).
Discovery
1 technique
Discovery
Collection
2 techniques
Collection
Command and Control
2 techniques
Command and Control
If the primary C2 server failed, the payload used the backup domain tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0[.]io .
The cloud stealer payload also includes an additional base64 encoded script that is installed as a systemd user service disguised as a "System Telemetry Service," which periodically contacts a remote server at checkmarx[.]zone to download and execute additional payloads.
Exfiltration
3 techniques
Exfiltration
a Python infostealer, which exfiltrated CI/CD secrets to attacker-controlled infrastructure.
Egress traffic was routed via POST requests to typosquatted domains designed to blend into manual log reviews scan.aquasecurtiy[.]org for Trivy, and checkmarx.zone (83.142.209.11) or audit.checkmarx.cx for Checkmarx. If egress firewalls blocked the HTTPS connections, the malware used a highly resilient fallback. It authenticated to the GitHub API using the victim’s own stolen PAT, autonomously generated a public repository named tpcp-docs , and uploaded the encrypted archive as a release asset.
IOCs tracked for this family
143 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
23 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An information-stealing malware used in a supply-chain attack that infected tens of thousands of devices via the compromised LiteLLM open-source Python library.
A purpose-built stealer for CI/CD runner environments that dumps process memory, collects SSH keys, cloud credentials, and Kubernetes secrets, encrypts the stolen data, and exfiltrates it to attacker-controlled infrastructure. It also uses a fallback exfiltration method by creating a repository named tpcp-docs inside the victim's GitHub organization.
A purpose-built stealer for CI/CD runner environments that harvests process memory, SSH keys, cloud credentials, and Kubernetes secrets, encrypts the stolen data, and exfiltrates it to attacker-controlled infrastructure. It also has a fallback exfiltration method using a repository named tpcp-docs inside the victim GitHub organization.
Credential-stealing malware used across TeamPCP campaign phases to harvest secrets from CI/CD runners and victim environments, package them, encrypt them, and exfiltrate them for follow-on compromise.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.