TeamPCP Cloud stealer
TeamPCP Cloud Stealer is a credential-harvesting malware payload used in TeamPCP supply-chain attacks in March 2026, most notably against Aqua Security’s Trivy ecosystem and later in related compromises affecting Checkmarx GitHub Actions and the LiteLLM PyPI package. It is purpose-built for CI/CD and developer environments, especially GitHub Actions runners, while some variants also execute on developer hosts and Python environments.
High-confidence behavior described in the content includes dumping GitHub Actions Runner.Worker process memory via /proc/<pid>/mem to recover secrets marked in memory, harvesting environment variables and filesystem-stored credentials, and collecting SSH keys, Git credentials, cloud provider credentials for AWS, GCP, and Azure, Kubernetes tokens and secrets, Docker credentials, .env files, database credentials, CI/CD configurations, TLS private keys, VPN data, cryptocurrency wallet material including Solana wallets, and Slack and Discord webhook URLs. Reported variants also queried the AWS Instance Metadata Service at 169.254.169.254 for IAM credentials and gathered host/network reconnaissance data.
The malware preserved legitimate application functionality while running malicious logic in parallel in compromised Trivy artifacts. Stolen data was commonly bundled as tpcp.tar.gz and encrypted with hybrid AES-256 and RSA-4096 encryption, including references to AES-256-CBC and RSA-4096, before exfiltration to attacker-controlled infrastructure. Reported exfiltration endpoints included scan.aquasecurtiy[.]org, checkmarx[.]zone, and models.litellm[.]cloud; scan.aquasecurtiy[.]org resolved to 45.148.10.212 in reporting, and checkmarx[.]zone was also used in related TeamPCP activity. A fallback exfiltration mechanism created GitHub repositories named tpcp-docs, docs-tpcp, or timestamped tpcp-docs variants in victim accounts or organizations to store stolen data.
Some variants established persistence on non-CI or developer systems through a systemd user service and a script such as ~/.config/systemd/user/sysmon.py, sometimes disguised as a telemetry service. Reported persistence components polled external infrastructure including tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io or checkmarx[.]zone/raw for follow-on payloads, with a kill-switch condition tied to responses containing YouTube/youtube.
The malware is strongly associated with the TeamPCP threat group, also referenced in the content as DeadCatx3, PCPcat, ShellForce, PersyPCP, and CipherForce. The payload self-identifies in source comments as "TeamPCP Cloud stealer," and multiple reports linked attribution to TeamPCP based on this labeling and consistent tradecraft. The malware was deployed through poisoned GitHub Action tags, malicious Trivy releases and Docker images, compromised OpenVSX extensions, and malicious LiteLLM versions 1.82.7 and 1.82.8 on PyPI. Targeting centered on cloud-native, CI/CD, and developer environments, with downstream impact reported across enterprises using affected tooling.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
On 19 March, TeamPCP launched a coordinated multi-channel attack that resulted in CVE-2026-33634, a supply chain compromise affecting the official Trivy distribution infrastructure. | Deployed "TeamPCP Cloud Stealer", a purpose-built payload designed for CI/CD runner environments that dumped process memory from the GitHub Actions runner, swept SSH keys, cloud provider credentials, and Kubernetes secrets, then encrypted and exfiltrated the collected data using AES-256 and RSA-4096 to attacker-controlled servers.
Their malware consistently self-identifies through an embedded string, “TeamPCP Cloud stealer,” which has become one of the clearest attribution markers across all campaign phases.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The malicious versions of these Actions run a tool self-described as "TeamPCP Cloud stealer", which dumps Runner.Worker process memory, harvests SSH, cloud, and K8s secrets, encrypts the data (using AES-256+RSA-4096), and exfiltrates it to a remote server.
Security analysts have linked the activity to the TeamPCP threat group, which has conducted a series of supply chain attacks targeting developer platforms including GitHub, PyPI, npm, and Docker. The group is known for deploying a credential-harvesting tool referred to as the TeamPCP Cloud Stealer.
When the infected software runs, the TeamPCP Cloud Stealer searches the system memory and files for digital master keys that allow access to a company’s servers. It specifically hunts for Kubernetes tokens and Solana cryptocurrency wallets.
The malware self-identifies as TeamPCP Cloud stealer in a Python comment on the final line of the embedded filesystem credential harvester.
Techniques & procedures
29 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
4 techniques
Initial Access
Cisco Systems... experienced a cyberattack in which threat actors infiltrated its internal development environment using stolen credentials obtained through a recent supply chain compromise... During the incident, attackers obtained multiple Amazon Web Services keys and used them to carry out unauthorized activities across a limited number of Cisco cloud accounts.
During the incident, attackers obtained multiple Amazon Web Services keys and used them to carry out unauthorized activities across a limited number of Cisco cloud accounts.
Execution
3 techniques
Execution
it executes a base64-encoded Python filesystem harvester signed "TeamPCP Cloud stealer"
Endor Labs reports that threat actors pushed out two malicious versions of LiteLLM today, each containing a hidden payload that executes when the package is imported.
The threat actor force-pushed 75 of 76 version tags in the aquasecurity/trivy-action repository, redirecting them to malicious commits containing the "TeamPCP Cloud stealer." When CI/CD workflows referenced these tags, the compromised action executed a multi-stage payload.
Persistence
4 techniques
Persistence
Version 1.82.8 introduces a more aggressive feature that installs a '.pth' file named 'litellm_init.pth' to the Python environment. Because Python automatically processes all '.pth' files when the interpreter starts, the malicious code would be executed whenever Python is run.
Cisco Systems... experienced a cyberattack in which threat actors infiltrated its internal development environment using stolen credentials obtained through a recent supply chain compromise... During the incident, attackers obtained multiple Amazon Web Services keys and used them to carry out unauthorized activities across a limited number of Cisco cloud accounts.
During the incident, attackers obtained multiple Amazon Web Services keys and used them to carry out unauthorized activities across a limited number of Cisco cloud accounts.
The cloud stealer payload also includes an additional base64 encoded script that is installed as a systemd user service disguised as a "System Telemetry Service," which periodically contacts a remote server at checkmarx[.]zone to download and execute additional payloads.
Privilege Escalation
5 techniques
Privilege Escalation
Version 1.82.8 introduces a more aggressive feature that installs a '.pth' file named 'litellm_init.pth' to the Python environment. Because Python automatically processes all '.pth' files when the interpreter starts, the malicious code would be executed whenever Python is run.
The malware scraped memory from the Runner.Worker process by reading /proc/<pid>/mem and searching for the pattern {"value":"<secret>","isSecret":true}.
Cisco Systems... experienced a cyberattack in which threat actors infiltrated its internal development environment using stolen credentials obtained through a recent supply chain compromise... During the incident, attackers obtained multiple Amazon Web Services keys and used them to carry out unauthorized activities across a limited number of Cisco cloud accounts.
During the incident, attackers obtained multiple Amazon Web Services keys and used them to carry out unauthorized activities across a limited number of Cisco cloud accounts.
The cloud stealer payload also includes an additional base64 encoded script that is installed as a systemd user service disguised as a "System Telemetry Service," which periodically contacts a remote server at checkmarx[.]zone to download and execute additional payloads.
Stealth
5 techniques
Stealth
The malicious code was injected into 'litellm/proxy/proxy_server.py' as a base64 encoded payload, which is decoded and executed whenever the module is imported.
The malware scraped memory from the Runner.Worker process by reading /proc/<pid>/mem and searching for the pattern {"value":"<secret>","isSecret":true}.
Cisco Systems... experienced a cyberattack in which threat actors infiltrated its internal development environment using stolen credentials obtained through a recent supply chain compromise... During the incident, attackers obtained multiple Amazon Web Services keys and used them to carry out unauthorized activities across a limited number of Cisco cloud accounts.
During the incident, attackers obtained multiple Amazon Web Services keys and used them to carry out unauthorized activities across a limited number of Cisco cloud accounts.
The threat actor force-pushed 75 of 76 version tags in the aquasecurity/trivy-action repository, redirecting them to malicious commits containing the "TeamPCP Cloud stealer." When CI/CD workflows referenced these tags, the compromised action executed a multi-stage payload.
Defense Impairment
1 technique
Defense Impairment
Credential Access
9 techniques
Credential Access
Deployed "TeamPCP Cloud Stealer", a purpose-built payload designed for CI/CD runner environments that dumped process memory from the GitHub Actions runner, swept SSH keys, cloud provider credentials, and Kubernetes secrets
The Trivy breach also affected the LiteLLM open-source Python library in an attack that infected tens of thousands of devices with its "TeamPCP Cloud Stealer" information-stealing malware.
When a compromised Trivy action executes in a workflow, it extracts GitHub personal access tokens (PATs) and other secrets from the Runner.Worker process memory. If those tokens have write access to repositories that also use Checkmarx actions, the attacker can use them to push malicious code to additional action dependencies.
Credential scraping : Scanned /proc/*/mem from Runner.Worker processes to extract secrets stored in memory
it executes a base64-encoded Python filesystem harvester ... that reads SSH keys, cloud credentials, Kubernetes configs, Docker credentials, .env files, terraform state, shell history, database configs, TLS private keys, and cryptocurrency wallets
...swept SSH keys, cloud provider credentials, and Kubernetes secrets...
Cloud metadata harvesting : Queried the AWS Instance Metadata Service (IMDS) at 169.254.169.254 for IAM credentials... IMDS credential harvesting : curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/
Discovery
1 technique
Discovery
Collection
2 techniques
Collection
Command and Control
3 techniques
Command and Control
If the primary command-and-control channel failed, the malware fell back to creating a repository called tpcp-docs inside the victim's own GitHub organization and storing stolen secrets there.
Exfiltration
3 techniques
Exfiltration
then encrypted and exfiltrated the collected data using AES-256 and RSA-4096 to attacker-controlled servers.
These secrets were exfiltrated to a Cloudflare Tunnel C2 (plug-tab-protective-relay.trycloudflare.com). ... The malware transmitted the encrypted bundle to a typosquatted domain (scan.aquasecurtiy[.]org). As a fallback, it could create a tpcp-docs repository in the victim's GitHub account and upload the stolen credentials as a release asset.
IOCs tracked for this family
143 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
22 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An information-stealing malware used in a supply-chain attack that infected tens of thousands of devices via the compromised LiteLLM open-source Python library.
A purpose-built stealer for CI/CD runner environments that harvests process memory, SSH keys, cloud credentials, and Kubernetes secrets, encrypts the stolen data, and exfiltrates it to attacker-controlled infrastructure. It also has a fallback exfiltration method using a repository named tpcp-docs inside the victim GitHub organization.
A purpose-built stealer for CI/CD runner environments that dumps process memory, collects SSH keys, cloud credentials, and Kubernetes secrets, then encrypts and exfiltrates the stolen data. It also has a fallback exfiltration mechanism using a repository named tpcp-docs inside the victim's GitHub organization.
A credential-stealing payload used in compromised GitHub Actions and CI/CD pipelines. It scrapes secrets from runner process memory, harvests cloud metadata and IAM credentials from IMDS, searches for Slack and Discord webhooks, encrypts collected data into tpcp.tar.gz, and exfiltrates it to attacker-controlled typosquat domains.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.