TeamPCP
Also known as: Altered Spider
TeamPCP is a threat actor that has executed a coordinated series of supply chain attacks, compromising widely-used open source tools such as Trivy, KICS, and LiteLLM to deploy credential-stealing malware. They employed techniques like credential harvesting, lateral movement within Kubernetes environments, and audio steganography to evade detection. The group has demonstrated the ability to leverage stolen credentials to propagate attacks across multiple ecosystems, including npm and PyPI, using a self-propagating worm known as CanisterWorm. Their operations have included the use of AES-256 encryption and RSA-4096 for exfiltration of sensitive data.
Indicators of Compromise 2
MITRE ATT&CK TTPs 4
Detection Rules
title: Detection of TeamPCP Activity in CI/CD Pipeline via Memory Scraping and Credential Exfiltration
id: 3a8d32e8-5d2a-4b9d-9a4f-1f8e7c371a1e
status: experimental
description: Detects suspicious activity associated with TeamPCP, including execution of scripts in CI/CD environments (e.g., GitHub Actions) combined with outbound network connections to external domains and use of commands commonly associated with credential harvesting and memory scraping.
references:
- https://github.com/aquasecurity/trivy-action/issues/2026
- https://nvd.nist.gov/attack-pattern/CAPEC-1059.001
- https://attack.mitre.org/tactics/TA0002/
author: Threat Detection Team
date: 2026/03/15
tags:
- attack.t1059.001
- attack.t1071.001
- attack.t1005
- attack.t1566
- supply-chain
- credential-access
- exfiltration
logsource:
category: process_creation
product: github_actions
service: runner
detection:
selection_img:
- ParentImage|endswith: "\actions-runner\bin\Runner.Worker.exe"
- Image|endswith: "\actions-runner\bin\Runner.Worker.exe"
selection_cli_commands:
- Command|contains: "import os"
- Command|contains: "import sys"
- Command|contains: "psutil"
- Command|contains: "getenv"
- Command|contains: "secrets"
- Command|contains: "os.environ"
- Command|contains: "print("
- Command|contains: "open("
selection_network:
DestinationHostname|contains: "."
DestinationPort: 80, 443
DestinationIp: "45.148.10.212"
DestinationHostname|endswith: ".org"
DestinationHostname|contains: "scan.aquasecurtiy.org"
selection_script_execution:
- Command|contains: "python -c"
- Command|contains: "node -e"
- Command|contains: "bash -c"
filter_known_hosts:
DestinationHostname|endswith:
- "github.com"
- "actions.githubusercontent.com"
- "pipelines.actions.githubusercontent.com"
- "api.github.com"
condition: selection_img and (selection_cli_commands or selection_script_execution) and selection_network and not filter_known_hosts
falsepositives:
- Legitimate CI/CD scripts that perform environment inspection and external HTTP calls to third-party monitoring or deployment services
level: critical ⚠ Rules are AI-generated and unvalidated. Test in a safe environment before production use.