TeamPCP Targets CI/CD Pipelines to Steal Developer Credentials

TeamPCP Targets CI/CD Pipelines to Steal Developer Credentials

First seen 15 May 2026, 09:57 UTC TrendmicroGbhackersCybersecuritynewsRescanathehackernews.com+4 88% similarity 69.5

Article Content

Browse articles
ThreatCluster

TeamPCP, a financially motivated threat actor, has been conducting a campaign targeting software supply chains from March 19 to April 24, 2026. The group exploited trusted CI/CD and release workflows to steal sensitive developer and cloud credentials. Two notable incidents occurred on April 22 and April 24, involving Checkmarx KICS and elementary-data, respectively. The KICS attack utilized complex methods, including simultaneous poisoning of three distribution channels and a downstream npm hijack. In contrast, the elementary-data attack was simpler, requiring only a single GitHub pull request to forge a tagged release commit. The campaign has affected multiple programming ecosystems and registry types, with at least seven distinct waves identified. Attribution to TeamPCP is based on consistent operational markers, but confidence in actor identity remains medium-high. The campaign highlights significant vulnerabilities in CI/CD pipelines and the potential for widespread impact on software development processes.

Key Points: • TeamPCP exploited CI/CD pipelines to steal developer and cloud credentials. • The campaign spanned from March 19 to April 24, 2026, with at least seven waves. • Two significant incidents involved complex and simple methods of attack on trusted workflows.

ThreatCluster AI

Timeline

2026-03-19
TeamPCP campaign begins
TeamPCP starts a coordinated campaign targeting software supply chains, exploiting CI/CD workflows.
Trendmicro
2026-04-22
Checkmarx KICS incident
TeamPCP executed a complex attack involving multiple distribution channels and npm hijacking.
Trendmicro
2026-04-24
Elementary-data attack
A simpler attack where a GitHub pull request was used to forge a release commit, passing all verification checks.
Trendmicro
2026-05-15
Public awareness raised
Gbhackers reports on TeamPCP's tactics and the implications for software supply chain security.
Gbhackers

Community

Browse all →