Threat Actor
•
Supply Chain Campaign
TeamPCP
A live tracker documenting the coordinated supply chain attack campaign attributed to TeamPCP — covering confirmed infection vectors, alleged victim organisations, and downstream credential exposure sourced from OSINT and third-party threat intelligence.
Alleged Victims
57
organisations named
Attack Vectors
4
independently confirmed
Countries Affected
19
across all victim claims
Campaign Start
Mar 2026
earliest confirmed incident
Over the course of roughly two weeks, the threat group known as TeamPCP carried out a systematic series of supply chain intrusions against widely-adopted open source developer tooling. The campaign has been tracked from its earliest confirmed incident through each subsequent escalation.
All four documented attack vectors deployed malware purpose-built to exfiltrate cloud provider credentials, SSH keys, Kubernetes configs, and CI/CD secrets. Stolen material was encrypted before exfiltration to attacker-controlled infrastructure, then rapidly validated and used to pivot through victim environments. Operational consistency across all intrusions points to a single coordinated actor — though credential sharing or resale to third parties cannot be ruled out.
All victim data below derives from TeamPCP's own disclosures or corroborating open-source intelligence. No organisation listed here has necessarily confirmed a security incident. Status labels reflect current assessment only.
02
Confirmed Attack Vectors
4 confirmed
19 Mar 2025
Trivy
Aqua Security
Credential-harvesting malware injected into Aqua Security's open source vulnerability scanner. Distributed via the compiled binary, GitHub Actions workflow, and container images.
23 Mar 2025
KICS
Checkmarx
The same malware family appeared in Checkmarx's infrastructure-as-code scanner, distributed via the GitHub Action and through the OpenVSX extension marketplace.
24 Mar 2025
LiteLLM
PyPI
Malicious versions of the popular LLM proxy library pushed to PyPI. Payloads engineered to harvest developer environment credentials at install time.
27 Mar 2025
Telnyx SDK
PyPI
Backdoored releases of the Telnyx Python SDK published to PyPI. Malicious payload functionally identical to prior attacks, using the same exfiltration infrastructure.
03
Alleged Victim Organisations
57 organisations · 19 countriesNamed as direct victims in TeamPCP disclosures. No listing should be treated as a confirmed breach unless explicitly marked. Click a country to expand entries.
| Organisation | Domain | Status | Note |
|---|
| Alex Solutions | alexsolutions.com | Claimed | No public confirmation. |
| Microba | microba.com | Claimed | Gut microbiome diagnostics. No public confirmation. |
| Symbio (MNF Group) | symbio.global | Claimed | Telecom infrastructure. Rebranded from mnf-group. |
| Organisation | Domain | Status | Note |
|---|
| FIOR Digital (21bitcoin) | 21bitcoin.com | Claimed | Bitcoin financial services. No public confirmation. |
| Organisation | Domain | Status | Note |
|---|
| Aarin | aarin.com.br | Claimed | Fintech / payments infrastructure. |
| Brasil Paralelo | brasilparalelo.com.br | Claimed | Media platform. No public confirmation. |
| Organisation | Domain | Status | Note |
|---|
| Lululemon | lululemon.com | Claimed | Publicly listed athletic apparel company. |
| PocketHealth | pockethealth.com | Claimed | Medical imaging platform. |
| R2 Capital | r2capital.ca | Claimed | No public confirmation. |
| Organisation | Domain | Status | Note |
|---|
| CMPC | cmpc.com | Claimed | Major pulp and paper manufacturer. |
| PreUPDV | preupdv.cl | Claimed | Education platform. |
| Organisation | Domain | Status | Note |
|---|
| Farmaonline | farmaonline.com | Claimed | Online pharmacy. |
| Organisation | Domain | Status | Note |
|---|
| Norlys Energy Trading | norlysenergytrading.com | Claimed | Energy trading arm of Norlys. |
| Organisation | Domain | Status | Note |
|---|
| Norauto | norauto.com | Claimed | Auto repair chain. |
| OKwind | okwind.com | Claimed | Renewable energy. |
| Orange Open Source | opensource.orange.com | Claimed | Open source division of telecom giant Orange. |
| Teale | teale.io | Claimed | Healthcare SaaS. |
| Organisation | Domain | Status | Note |
|---|
| GotPhoto | gotphoto.com | Claimed | Photography platform. |
| Nooxit | nooxit.com | Claimed | No public confirmation. |
| OG1O | og1o.com | Claimed | No public confirmation. |
| understand.ai | understand.ai | Claimed | AI data annotation (acquired by Daimler). |
| Organisation | Domain | Status | Note |
|---|
| Illusive Networks | illusivenetworks.com | Claimed | Cybersecurity (deception tech). |
| Organisation | Domain | Status | Note |
|---|
| Auronix | auronix.com | Claimed | Business messaging platform. |
| Organisation | Domain | Status | Note |
|---|
| Assertive Yield | assertiveyield.com | Claimed | Ad monetisation platform. |
| Axual | axual.com | Claimed | Kafka-based streaming platform. |
| Finom | finom.co | Claimed | Business finance platform. |
| Radventure | radventure.com | Claimed | No public confirmation. |
| Organisation | Domain | Status | Note |
|---|
| Statkraft | statkraft.se | Claimed | Europe's largest renewable energy producer. |
| TOMRA | tomra.com | Claimed | Resource collection / reverse vending systems (listed OSE). |
| Organisation | Domain | Status | Note |
|---|
| eobuwie | eobuwie.com.pl | Claimed | Major online footwear retailer. |
| Organisation | Domain | Status | Note |
|---|
| CrazyBet | crazybet.com | Claimed | Online sports betting. |
| Organisation | Domain | Status | Note |
|---|
| APIQuality | apiquality.io | Claimed | API governance platform. |
| Cloudappi | cloudappi.net | Claimed | Software development firm. |
| Organisation | Domain | Status | Note |
|---|
| Handelshögskolan (HHS) | hhs.se | Claimed | Stockholm School of Economics. |
| Toptracer | toptracer.com | Claimed | Golf technology (Callaway subsidiary). |
| Organisation | Domain | Status | Note |
|---|
| Holland & Barrett | hollandandbarrett.com | Claimed | Major health & wellness retailer. |
| Organisation | Domain | Status | Note |
|---|
| Azra AI | azra-ai.com | Claimed | Oncology AI. |
| Cisco | cisco.com | ✓ Confirmed | Confirmed by BleepingComputer (31 Mar 2026). 300+ GitHub repos cloned, AWS keys stolen via Trivy supply chain credentials. |
| Corelight | corelight.com | Claimed | Network detection & response. |
| CoverSelf | coverself.com | Claimed | Insurance SaaS. |
| Cynerio (→ Axonius) | axonius.com | Claimed | Healthcare IoT security, acquired by Axonius. |
| Databricks | databricks.com | ✗ Denied | Investigated and found nothing in internal systems. Official statement via @DatabricksSec. |
| DeepHealth | deephealth.com | Claimed | AI radiology platform. |
| Excel Impact | excelimpact.com | Claimed | No public confirmation. |
| Life.Church | life.church | Claimed | Large multi-site church organisation. |
| LotLinx | lotlinx.com | Claimed | Automotive inventory AI. |
| Metafar | metafar.io | Claimed | No public confirmation. |
| OpsVanguard | opsvanguard.com | Claimed | No public confirmation. |
| Ping Identity | pingidentity.com | ◐ Partial | Corporate address found in exfiltrated credential dump. |
| Pluralsight | pluralsight.com | Claimed | Tech learning platform. |
| Rivian | rivian.com | Claimed | Publicly listed EV manufacturer. |
| Saviynt | saviynt.com | Claimed | Identity security SaaS. |
| Stryker | stryker.com | Claimed | Publicly listed medical devices company. |
| TeamWorks | teamworks.com | Claimed | Athlete management platform. |
| Turion Space | turionspace.com | Claimed | Space debris removal startup. |
| Varo Money | varomoney.com | Claimed | Neobank / consumer fintech. |
| Vermill | vermill.io | Claimed | No public confirmation. |
04
Downstream Credential Exposure
21 organisationsCorporate-domain addresses found in the exfiltrated credential dump. These organisations were not necessarily direct targets — exposure is a downstream consequence of staff running affected tooling. Entries marked ★ also appear in the direct victim list.
Corporate domains only — personal addresses excluded
| Organisation | Domain | Country | Status |
|---|
| Applied | applied.co | 🇬🇧 UK | ◐ Credential Exposure |
| Atos | atos.net | 🇫🇷 France | ◐ Credential Exposure |
| BMW | bmw.de | 🇩🇪 Germany | ◐ Credential Exposure |
| CAIS Group | caisgroup.com | 🇺🇸 US | ◐ Credential Exposure |
| CloudOfficer | cloudofficer.ca | 🇨🇦 Canada | ◐ Credential Exposure |
| Deloitte | deloitte.com / .co.uk | 🇺🇸🇬🇧 US / UK | ◐ Credential Exposure |
| Ernst & Young (EY) | gds.ey.com | 🌐 Global | ◐ Credential Exposure |
| Evinova / AstraZeneca | evinova.com | 🇸🇪 Sweden | ✓ Confirmed |
| Funky Penguin | funkypenguin.co.nz | 🇳🇿 NZ | ◐ Credential Exposure |
| GlobalHitss | globalhitss.com | 🇨🇴 Colombia | ◐ Credential Exposure |
| Hiper | hiper.com.br | 🇧🇷 Brazil | ◐ Credential Exposure |
| Impinj | impinj.com | 🇺🇸 US | ◐ Credential Exposure |
| Komatsu | global.komatsu | 🇯🇵 Japan | ◐ Credential Exposure |
| LSEG | lseg.com | 🇬🇧 UK | ◐ Credential Exposure |
| Mapfre | mapfre.com | 🇪🇸 Spain | ◐ Credential Exposure |
| MSG Group | msg.group | 🇩🇪 Germany | ◐ Credential Exposure |
| MTN Group | mtn.com | 🇿🇦 South Africa | ◐ Credential Exposure |
| NielsenIQ | nielseniq.com | 🇺🇸 US | ◐ Credential Exposure |
| Ping Identity ★ | pingidentity.com | 🇺🇸 US | ◐ Credential Exposure |
| Samsung | samsung.com | 🇰🇷 South Korea | ◐ Credential Exposure |
| WeCode | wecode.dk | 🇩🇰 Denmark | ◐ Credential Exposure |
All information on this page is compiled from open-source intelligence (OSINT), threat actor communications, and third-party security reporting. Claims are not independently verified unless explicitly stated. Organisations listed as alleged victims have not necessarily confirmed any security incident, and their inclusion does not constitute an assertion of breach.
This page exists solely for informational and research purposes. Nothing here constitutes legal advice, confirmed attribution, or an official statement of compromise. If your organisation is listed and you have information to share, correct, or dispute, reach out via X or Telegram.