The Federal Bureau of Investigation (FBI) has issued a new cybersecurity alert warning organizations about TeamPCP, a cybercriminal group responsible for large-scale software supply chain compromises targeting widely used development and security tools. According to the FBI, the campaign has enabled threat actors to steal sensitive credentials, maintain persistent access to victim environments, and carry out extortion against affected organizations.
The FBI stated that TeamPCP has compromised trusted software distribution channels by injecting malicious code into legitimate software packages and development dependencies. Rather than attacking organizations directly, the group has focused on software developers and security tools that many companies rely on throughout their development pipelines. Once those trusted packages are downloaded and installed, malicious code can be introduced into enterprise environments without immediately raising suspicion.
According to the FBI, the attackers modified several widely used development and security tools, including Trivy, KICS, LiteLLM, and the Telnyx Python SDK. Because these applications are frequently integrated into continuous integration and continuous delivery (CI/CD) pipelines, cloud infrastructure, and automated security workflows, a single compromised package can affect numerous downstream systems.
Federal investigators warned that the malicious updates secretly installed credential-stealing malware and persistent backdoors capable of harvesting cloud access tokens, Secure Shell (SSH) keys, Kubernetes secrets, API credentials, and other authentication material used to access critical infrastructure. The FBI also noted that organizations should consider any exposed credentials to remain at risk long after the initial compromise because stolen information may continue to be exploited or shared among affiliated cybercriminal groups.
The FBI identified several malware families associated with TeamPCP’s operations.
CanisterWorm is designed to collect cloud access tokens, credentials, API keys, and authentication material associated with cloud service providers including Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure.
SANDCLOCK focuses on stealing AWS credentials, Kubernetes ServiceAccount tokens, local environment variables, and cryptocurrency wallet information.
The group has also deployed Mini Shai-Hulud, a self-replicating software supply chain worm capable of spreading across both npm and PyPI package ecosystems, along with Miasma, a related malware variant that propagates through open-source software repositories while harvesting credentials and poisoning configuration files.
According to the FBI, TeamPCP has not limited its activity to credential theft. Investigators say the group has also engaged in extortion by publishing victim names on public leak sites and threatening to release stolen information unless demands are met. The alert further notes that TeamPCP has collaborated with other cyber threat actors, increasing the potential impact of compromised credentials across multiple criminal operations.
To assist network defenders, the FBI included indicators of compromise consisting of malicious IP addresses, domains, cryptographic hashes, repository names, and Common Vulnerabilities and Exposures (CVE) identifiers associated with TeamPCP activity. Security teams are encouraged to compare those indicators against their own environments as part of incident response and threat hunting activities.
The FBI is recommending organizations immediately strengthen their software supply chain security by pinning GitHub Actions workflows to verified commit hashes, rotating CI/CD secrets and cloud credentials, enforcing phishing-resistant multi-factor authentication, maintaining immutable offline backups, and monitoring development pipelines for unusual behavior. The agency also recommends enforcing least-privilege access controls, auditing third-party integrations, scanning repositories for exposed secrets, and implementing integrity verification before software artifacts are published or deployed.
Organizations that believe they may have been affected are encouraged to preserve evidence, including CI/CD pipeline logs, network logs, compromised credentials, package versions, and any extortion communications. The FBI also recommends documenting when suspicious activity was discovered, the systems affected, and the estimated timeline of the intrusion to assist investigators.
The cybersecurity advisory was coordinated with the Cybersecurity and Infrastructure Security Agency (CISA) and released under the Traffic Light Protocol (TLP): CLEAR, allowing the information to be freely shared to help organizations defend against ongoing cyber threats.
Federal Bureau of Investigation (FBI); Cybersecurity and Infrastructure Security Agency (CISA). Information derived from the FBI FLASH advisory, “Cyber Criminal Group TeamPCP” (FLASH-20260702-01), released July 2, 2026. (Free Download)
🔥 NOW AVAILABLE! 🔥
🔥 NOW AVAILABLE! 🔥
📖 INK & FIRE: BOOK 1 📖
A bold and unapologetic collection of poetry that ignites the soul. Ink & Fire dives deep into raw emotions, truth, and the human experience—unfiltered and untamed
🔥 Kindle Edition 👉 https://a.co/d/9EoGKzh
🔥 Paperback 👉 https://a.co/d/9EoGKzh
🔥 Hardcover Edition 👉 https://a.co/d/0ITmDIB
🔥 NOW AVAILABLE! 🔥
📖 INK & FIRE: BOOK 2 📖
A bold and unapologetic collection of poetry that ignites the soul. Ink & Fire dives deep into raw emotions, truth, and the human experience—unfiltered and untamed just like the first one.
🔥 Kindle Edition 👉 https://a.co/d/1xlx7J2
🔥 Paperback 👉 https://a.co/d/a7vFHN6
🔥 Hardcover Edition 👉 https://a.co/d/efhu1ON
Get your copy today and experience poetry like never before. #InkAndFire #PoetryUnleashed #FuelTheFire
🚨 NOW AVAILABLE! 🚨
📖 THE INEVITABLE: THE DAWN OF A NEW ERA 📖
A powerful, eye-opening read that challenges the status quo and explores the future unfolding before us. Dive into a journey of truth, change, and the forces shaping our world.
🔥 Kindle Edition 👉 https://a.co/d/0FzX6MH
🔥 Paperback 👉 https://a.co/d/2IsxLof
🔥 Hardcover Edition 👉 https://a.co/d/bz01raP
Get your copy today and be part of the new era. #TheInevitable #TruthUnveiled #NewEra
🚀 NOW AVAILABLE! 🚀
📖 THE FORGOTTEN OUTPOST 📖
The Cold War Moon Base They Swore Never Existed
What if the moon landing was just the cover story?
Dive into the boldest investigation The Realist Juggernaut has ever published—featuring declassified files, ghost missions, whistleblower testimony, and black-budget secrets buried in lunar dust.
🔥 Kindle Edition 👉 https://a.co/d/2Mu03Iu
🛸 Paperback Coming Soon
Discover the base they never wanted you to find. TheForgottenOutpost #RealistJuggernaut #MoonBaseTruth #ColdWarSecrets #Declassified



