TeamPCP (tracked as UNC6780 by Google's Threat Intelligence Group, also using aliases DeadCatx3, PCPcat, and ShellForce) started with a single incompletely rotated GitHub personal access token .
March 19 — Aqua Security's Trivy: The initial compromise. TeamPCP gained access to Trivy's GitHub Actions and Docker Hub signing keys, then force-pushed malicious code to 75 of 76 trivy-action version tags and published poisoned binaries to GitHub Releases and Docker Hub . This was assigned CVE-2026-33634 with a CVSS score of 9.4
.
March 20 — BerriAI's LiteLLM: Using credentials stolen from the Trivy pipeline, TeamPCP pushed malicious versions of LiteLLM, an AI gateway tool used to access more than 100 LLM APIs, to PyPI and NPM .
March 27 — Telnyx PyPI: TeamPCP published malicious versions (4.87.1 and 4.87.2) of the Telnyx Python SDK .
April 22 — Checkmarx KICS and Bitwarden CLI: Later waves targeted Checkmarx's KICS security scanner and Bitwarden's CLI within hours of each other, sharing the same C2 infrastructure . TrendMicro confirmed these as part of the broader TeamPCP campaign
.
Within six days, the attack spread across:
This was later characterized as the first documented self-propagating supply chain worm to autonomously cross ecosystem boundaries .
On July 2, 2026, the FBI's Cyber Division issued a critical alert (reported in Spanish media on July 3) confirming that TeamPCP had infiltrated development environments and exfiltrated cloud access tokens, SSH keys, and Kubernetes secrets .
Based on the alert coverage, the FBI advised organizations to:
"tpcp-docs" or "docs-tpcp" used by the attackers for staging The alert also noted that data and credentials already exfiltrated should be considered a persistent risk .
Sophos X-Ops published research on April 24, 2026 documenting the Checkmarx KICS and Bitwarden CLI compromises as part of the TeamPCP campaign . Key findings:
The search results did not surface direct evidence linking TeamPCP to The Com collective. TeamPCP has been associated with the LAPSUS$ data-sales pipeline and operates its own CipherForce ransomware track, but Com-specific links were not found in the available sources .
The TeamPCP campaign represents a turning point in cloud security: attackers are no longer bypassing defenses — they are weaponizing them. The key takeaways for defenders:
tpcp-docs or docs-tpcp