TeamPCP
Umbrella supply chain campaign tracked by Wiz (Rami McCarthy) that compromises developer tooling, package registries, and CI/CD across npm, PyPI, Docker, VSCode, and Packagist. The initial wave abused Checkmarx-themed decoy domains (checkmarx.zone, audit.checkmarx.cx) and shared C2 (94.154.172.43) to trojanize litellm and, through a cascading KICS compromise, @bitwarden/cli. Attribution strings reuse Dune terminology, linking it to the Shai-Hulud worm family.
discovered 2026-03-24
Objective
Compromise the software supply chain to steal cloud and developer credentials at scale.
Related campaigns
Packages
Indicators
- domainmodels.litellm.cloudcommunicates-with
- domaincheckmarx.zonecommunicates-with
- sha256d2a0d5f564628773b6af7b9c11f6b86531a875bd2d186d7081ab62748a800ebbindicates
- sha19343aeefca37aa49a6ea54397d7615adae5c72c9indicates
- domain83.142.209.203communicates-with
- ipv483.142.209.203communicates-with
- sha2567321caa303fe96ded0492c747d2f353c4f7d17185656fe292ab0a59e2bd0b8d9indicates
- sha256cd08115806662469bbedec4b03f8427b97c8a4b3bc1442dc18b72b4e19395fe3indicates
- email[email protected]exfiltrates-to
- domainaudit.checkmarx.cxcommunicates-with
- ipv494.154.172.43communicates-with
- sha25618f784b3bc9a0bcdcb1a8d7f51bc5f54323fc40cbd874119354ab609bef6e4cbindicates
- sha2568605e365edf11160aad517c7d79a3b26b62290e5072ef97b102a01ddbb343f14indicates
- sha1de0fac2e4500dabe0009e67214ff5f5447ce83ddindicates
- sha1bbbca2ddaa5d8feaa63e36b76fdaad77386f024findicates
Techniques
- ttpT1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
- ttpT1059.006 Command and Scripting Interpreter: Pythonuses
- ttpT1552.001 Unsecured Credentials: Credentials In Filesuses
- ttpT1041 Exfiltration Over C2 Channeluses
- ttpT1105 Ingress Tool Transferuses
- ttpT1071.001 Application Layer Protocol: Web Protocolsuses
- ttpT1546 Event Triggered Executionuses
- ttpT1027 Obfuscated Files or Informationuses
- ttpT1059.007 Command and Scripting Interpreter: JavaScriptuses
