TeamPCP Targets CI/CD Pipelines to Steal Developer Credentials
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
TeamPCP, a financially motivated threat actor, has been conducting a campaign targeting software supply chains from March 19 to April 24, 2026. The group exploited trusted CI/CD and release workflows to steal sensitive developer and cloud credentials. Two notable incidents occurred on April 22 and April 24, involving Checkmarx KICS and elementary-data, respectively. The KICS attack utilized complex methods, including simultaneous poisoning of three distribution channels and a downstream npm hijack. In contrast, the elementary-data attack was simpler, requiring only a single GitHub pull request to forge a tagged release commit. The campaign has affected multiple programming ecosystems and registry types, with at least seven distinct waves identified. Attribution to TeamPCP is based on consistent operational markers, but confidence in actor identity remains medium-high. The campaign highlights significant vulnerabilities in CI/CD pipelines and the potential for widespread impact on software development processes.
Key Points: • TeamPCP exploited CI/CD pipelines to steal developer and cloud credentials. • The campaign spanned from March 19 to April 24, 2026, with at least seven waves. • Two significant incidents involved complex and simple methods of attack on trusted workflows.