Understanding threat actor capabilities is only half the battle—the other half is knowing whether your organization is in their crosshairs. See how Bitsight threat intelligence helps you move from observation to action.
TeamPCP-related activity increased by 471% in the last month compared to similar groups, according to Bitsight Threat Intelligence. Recent reporting connects TeamPCP to Vect, an emerging ransomware-as-a-service operation, and links the group to compromised developer and security tools including Trivy, KICS, LiteLLM, and the Telnyx Python SDK.
Compromised open-source packages
Compromised developer tools
Malicious VS Code extensions
Compromised GitHub repositories
Compromised CI/CD workflows
Stolen package publishing credentials
Stolen cloud credentials
Stolen SSH keys
Exposed Kubernetes credentials
Exposed .env secrets
Compromised npm packages
Compromised PyPI packages
Compromised Docker workflows
Compromised GitHub Actions workflows
CVE-2026-33634
CVE-2026-48027
CVE-2026-45321
Supply Chain Compromise
Subvert Trust Controls
Unsecured Credentials
OS Credential Dumping
Exfiltration Over Web Service
Data Destruction
Create or Modify System Process
Escape to Host
Credential theft
Open-source package compromise
Developer tool compromise
CI/CD pipeline targeting
Package publishing workflow abuse
npm ecosystem abuse
PyPI ecosystem abuse
Malicious VS Code extension usage
Kubernetes lateral movement
Cloud credential harvesting
Repository exfiltration
Sensitive development data exfiltration
Use of stolen credentials to spread across packages or environments
AES-256 encryption during exfiltration
RSA-4096 encryption during exfiltration
Audio steganography
Self-replicating supply chain activity
Social engineering
Ransomware-as-a-service collaboration
TeamPCP targets developer workflows, packages, repositories, CI/CD systems, and cloud credentials to enable supply chain compromise, extortion, and ransomware activity.
Treat developer tooling as part of the attack surface
Restrict unapproved IDE extensions
Review installed VS Code extensions
Enforce least privilege for GitHub, npm, PyPI, Docker, and CI/CD credentials
Rotate credentials after suspected compromise
Scan repositories for hardcoded secrets
Monitor package updates for suspicious behavior
Use approved dependency lists or internal package mirrors
Harden Kubernetes access
Audit Kubernetes cluster secrets
Monitor dark web, paste, ransomware, and code repository sources for leaked assets
Treat developer workstations, package publishing accounts, and build systems as sensitive infrastructure
Maintain clean, disconnected backups to reduce risk from flawed ransomware encryption or unrecoverable data corruption
Understanding threat actor capabilities is only half the battle—the other half is knowing whether your organization is in their crosshairs. See how Bitsight threat intelligence helps you move from observation to action.