ThreatBrief AI

TeamPCP supply-chain campaign shows security tooling is the new trust boundary

Cross-source reporting on TeamPCP shows how compromised scanners, package pipelines, and marketplace plugins turn trusted developer tools into credential-harvesting infrastructure.

+ +

Published

Jun 27, 2026

Duration

5 min read

Risk Level

high evidence

Why it matters

TeamPCP is a useful case study because it does not just target applications; it targets the security and delivery tools that sit upstream of those applications. Unit 42, Kodem, and Endor Labs all describe a campaign that turned scanners, package distribution, and release pipelines into privileged access paths. That matters because a compromised developer tool can inherit the trust of CI/CD, secrets management, and artifact publication in one step.

Thesis

The core lesson is simple: security tooling is now part of the attack surface. TeamPCP repeatedly abused trusted build and scan infrastructure to collect cloud credentials, SSH keys, and Kubernetes secrets, then used those credentials to move into the next stage of the campaign. The pattern is less about one malware family and more about a repeatable trust-boundary failure.

Method

This brief compares three vendor research sources: Unit 42 for campaign scope and infrastructure, Kodem for the Trivy-to-LiteLLM-to-Jenkins progression, and Endor Labs for the LiteLLM payload details. I extracted the shared chronology, mapped overlapping indicators, and kept the analysis to claims that appear in at least one primary research source.

Findings

The campaign progressed through recognizable phases. Trivy and KICS were first abused as initial trust anchors, then LiteLLM widened the blast radius through package distribution, and later reporting tied the same actor to the Checkmarx Jenkins plugin. Across those stages, the payloads consistently tried to harvest secrets rather than perform noisy destructive actions first.

The infrastructure story is also consistent. Unit 42 reported C2 and fallback domains such as checkmarx.zone, models.litellm.cloud, and scan.aquasecurtiy.org, alongside other public tunnel infrastructure and payload artifacts like kamikaze.sh. Endor Labs added a second execution vector with litellm_init.pth, which runs during Python startup and makes the payload harder to miss in routine package use.

For defenders, the important point is not the vendor names. It is the structure: trusted security tools, CI/CD credentials, and package-publishing tokens all became transitive trust amplifiers. If one stage is compromised, the attacker can often reuse that trust to reach the next stage.

Limits

This is a synthesis of vendor research, not a single forensic report from one victim. Exact victim counts, blast radius, and attribution details may evolve as more incident response data becomes public. The conclusion about the trust-boundary problem is strong; the precise campaign graph should still be treated as a living model rather than a final case file.

Indicators

8 indicators · TLP:clear

domain · c2 · high conf

checkmarx.zone

Typosquatted domain used in TeamPCP exfiltration and C2 activity.

Srcs: source-1, source-2

domain · c2 · high conf

models.litellm.cloud

Typosquatted domain used for LiteLLM-stage exfiltration and C2.

Srcs: source-1, source-3

domain · c2 · high conf

scan.aquasecurtiy.org

Typosquatted domain associated with the Trivy-stage payload.

Srcs: source-1, source-2

domain · c2 · high conf

tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io

Fallback infrastructure noted in Unit 42 reporting for TeamPCP operations.

Srcs: source-1

url · infrastructure · high conf

https://championships-peoples-point-cassette.trycloudflare.com

Cloudflare Tunnel URL listed in TeamPCP infrastructure reporting.

Srcs: source-1

file-path · payload · high conf

kamikaze.sh

Shell payload name used in the initial TeamPCP Trivy-stage payload.

Srcs: source-1, source-2

file-path · payload · medium conf

litellm_init.pth

Startup-triggering Python path file used in the LiteLLM stage.

Srcs: source-3

hash-sha256 · payload · medium conf

01ff1e56fd59a8fa525d97e670f7f297a1a204331b89b2cd4e36a9abc6419203

SHA256 for the malicious Checkmarx Jenkins AST plugin package.

Srcs: source-2