Two months ago, you probably hadn’t heard of the cybercrime gang that calls itself TeamPCP.
They first started getting noticed in specialist cybersecurity articles in late 2025, but they weren’t yet all over the news.
Like many threats and threat actors, they’re known by a range of different names, including PCPcat, ShellForce, DeadCatx3, and PersyPCP, with the name “ShellForce” in particular reflecting an important aspect of their tools and techniques.
Notably, TeamPCP doesn’t go in only for the old-school sort of malware that targets the final products that companies and open-source projects deliver.
To be clear, TeamPCP has distributed malware this way, as we documented last week when the group attacked a cybersecurity product called Trivy, made by Aqua Security.
However, as the name ShellForce suggests, this gang also goes after the many scripts and build-time addons that software creators use in their own software development processes, known in the jargon as pipelines.
In this way, software teams that incorporate infected pipeline components into their own automated build processes may end up running some of TeamPCP’s malware every time any developer adds or changes anything in the project.
As an example, in the Trivy attack, TeamPCP poisoned a component called trivy-action, a set of scripts and related tools that are typically triggered automatically after every change, even if that’s just fixing a spelling mistake in a source code comment.
Ironically, the very purpose of Trivy and trivy-action is to perform cybersecurity checks every time anyone involved in a software project proposes any sort of change, a noble goal that aims to prevent security holes being introduced in the first place.
By compromising the development environment itself, TeamPCP aims to embed itself right into the heart of its victims’ software development processes.
As you can imagine, software development pipelines are a rich source of data for cybercriminals, including: critical company data such as code signing keys; individual developers’ data such as cryptocoin wallets and keys; and software development secrets such as passwords and authentication tokens for other projects and products.
Simply put, by targeting the Trivy product and the Trivy pipeline, TeamPCP effectively attacked every company and programmer that used Trivy in any way, not just Aqua Software itself.
Sadly, this Trivy story, which projected the name TeamPCP into popular media headlines․․․
․․․turned out to be just a tiny part of this malevolent crime group’s current activities.
Indeed, almost every day for the past week, I’ve sat down to write an update about TeamPCP, only to find that they’ve shown up behind another attack, and then another, and another, until I finally decided to wait no longer.
The attacks I’m aware of at the time of writing [2026-03-28T23:00:00Z] are enumerated below.
• The Trivy attack
As mentioned above, we did a deep but not-too-technical dive into this about a week ago, once the full nature of the attack had been uncovered.
The primary side-effect of this attack was to collect a wide range of access credentials, cryptographic keys, system configuration information, password hashes, and cryptocurrency wallets.
The malware then encrypted its stolen secrets and attempted to upload them to a specially-created web domain called aquasecurtiy.org, a typosquat misspelling of Aqua Security, owner and publisher of the Trivy brand, that was registered on 2026-03-17, shortly before the attack started.
Even if you know all the jargon yourself, Amos will help you explain it to colleagues, friends, and family in an unpretentious, unintimidating way – follow us on LinkedIn for the latest Almanac entries.
• The Canister worm
This malware took aim at the Microsoft-owned Node Package Manager (NPM) ecosystem, the world’s biggest repository of JavaScript software packages used by millions of different software development teams worldwide.
TeamPCP apparently infected a bunch of popular JavaScript packages by hand to get the ball rolling, with the malware being triggered not as part of the final package code, but as a side-effect of the scripts that run during the installation process.
According to one report, the authentication credentials used in implanting the first wave of Canister worm infections seem to have come directly from data stolen in the earlier Trivy attack.
Unlike the Trivy malware, this one introduced a self-replicating component, meaning that once injected into the NPM ecosystem, it could keep spreading to new victims automatically, infecting the next victim’s NPM projects using NPM access tokens found in the current victim’s environment.
Loosely speaking, any infected developer working on multiple packages in multiple projects could be quietly co-opted as a malware spreader.
That’s why this attack has been dubbed a worm, or computer virus, old-school cybersecurity names that denote malware that is able to spread far and wide by itself once it gets a sufficient foothold from which to get started.
Apart from spreading, this malware also implants a background process (technically, a Linux systemd service) on infected computers that acts as a bot or zombie – malicious software that regularly reaches out to a website or some other online service to download arbitrary commands to run at the whim of the attackers.
The other part of the name, Canister, comes from the way that the malware “calls home” to fetch additional rogue commands to run on the victim’s computer.
Instead of connecting to a traditional web server to fetch its zombie commands, the Canister worm uses a smart contract service known as the Internet Computer Project (ICP), which provides a web-based blockchain system that can store chunks of code and data indefinitely in so-called canisters, issuing a unique URL for each canister.
In this case, the malicious ICP canister doesn’t serve up malicious commands directly; instead, it provides a secondary URL that the malware uses to fetch the actual rogue code to be executed.
Threat researchers report that one of the malicious zombie payloads distributed by TeamPCP focuses on data destruction, such that victim computers that appear to be inside Iran get wiped, while those not in Iran are used to spread the malware yet further via any Kubernetes clusters they manage.
There’s currently no suggestion that TeamPCP has specific political objectives here, but this side-effect certainly helped the criminals to generate media attention for themselves.
Some reports seem to imply that the attacker chose to link to the ICP “canister” service because those URLs are pseudo-anonymous and therefore hard to take down, in the same way as Tor or Onion services. But these URLs point at servers owned and operated by ICP, and the URL used by the Canister worm has now been blocked by the service.
• The Checkmarx attack
Like Aqua Security and Trivy, Checkmarx claims to be a threat prevention and software vulnerability detection service that promises, in a burst of impressive if impenetrable jargon, to “unify SAST, SCA, IaC, & ASPM with Agentic AI to prevent and remediate risks faster – from code to cloud.”
Checkmarx’s GitHub projects were attacked and compromised in a similar way to the Trivy attack described above.
Where the Trivy attack used a fake domain called aquasecurtiy.org, the Checkmarx implant used checkmarx.zone, which isn’t an official domain operated by Checkmarx itself.
(There are so many legal top-level domains these days that it’s unreasonable to expect any company, even one that focuses on cybersecurity, to maintain a so-called “defensive registration” for all possible look-alike or mis-spelled domain names.)
The Trivy malware used a GitHub project name tpcp-docs and the filename tpcp.tar.gz to hide its stolen data; in the Checkmarx attack, the same filename was used, but the project name was flipped around to read docs-tpcp instead.
• A takeover of LiteLLM’s software supply chain
LiteLLM is another AI-centric company that claims to “provide model access, fallbacks and spend tracking across 100+ LLMs.”
The company doesn’t specifically pitch its products and services as cybersecurity tools, but it does claim to enforce guardrails, the name given for the loose behavior-blocking protections that are supposed to prevent AIs turning rogue.
The bogus server name referenced by the malware in this case was models.litellm.cloud, which contains the text litellm but doesn’t belong to the LiteLLM organization.
Intriguingly, instead of using ICP canisters as delivery URLs for its zombie payloads, this variant reused the fake checkmarkx.zone domain from before, using the URL checkmarkx.zone/raw to download new malware commands.
• The Telnyx attack
At the time of writing [2026-03-28T23:00:00Z], TeamTCP’s most recently-reported attack was against a company called Telnyx.
Telnyx advertises itself as “an all-in-one communications platform and API with carrier-grade voice, data and messaging capabilities,” with services that include AI-based agents for processing voice calls.
In this attack, different zombie payloads are downloaded for Windows and Linux victims, using URLs at a server referenced directly by IP number, instead of via a look-alike domain name.
The malicious URLs have telephony-based filenames, presumably to give them an air of legitimacy despite being served up by IP number via TCP port 8080, usually used by web proxies:
83.[redacted].203:8080/ringtone.wav -- script-based malware for Linux 83.[redacted].203:8080/hangup.wav -- compiled .EXE malware for windows
Although these malware downloads look like innocent audio files and will be recognized by firewalls as WAV-format downloads, they don’t contain any audio content that a human would understand.
Instead, the audio data consists of malware code (script or binary, depending on platform), lightly disguised to look less obvious by the use of a simple XOR-based scrambling algorithm that hides any giveaway text in the “audio” stream.
The downloader reverses this scrambling process before launching the zombie malware it just retrieved.
Although all these data-stealing malware attacks (Trivy, Checkmarx, LiteLLM, and Telnyx) use different download URLs and a range of differently-coded malware programs in a variety of programming languages, they all use the same RSA-4096 public key when encrypting the data they’ve just stolen.
This means that TeamPCP, presumably the only holder of the corresponding RSA-4096 private key, is the only group that can extract and use the data stolen in these attacks.
As we mentioned when we discussed the Trivy attack, this means that even organizations that still have copies of the tpcp.tar.gz file created when they were attacked cannot extract it themselves in order to track what was stolen.
Simply put, if you think you have been a victim in one or more of these TeamPCP intrusions, you have little choice but to start off by assuming the worst, and to revise your damage report downwards as you investigate your logs to find out what happened.
Ask for help if you need it – SolCyber is ready with a human-centered cybersecurity service if you’d like to regain the time to focus on your core business!
Why not ask how SolCyber can help you do cybersecurity in the most human-friendly way? Don’t get stuck behind an ever-expanding convoy of security tools that leave you at the whim of policies and procedures that are dictated by the tools, even though they don’t suit your IT team, your colleagues, or your customers!
Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!
Featured image of fizzy worms by Karsten Winegeart via Unsplash.
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.
