Threat Actor Profile

TeamPCP

Aliases
  • ShellForce
  • PCPcat
  • DeadCatx3
  • Altered Spider
  • PersyPCP
Motivation
Financial gain, Extortion, Credential theft, Software supply chain compromise
Cause
Cybercriminal
Recent Activity

TeamPCP-related activity increased by 471% in the last month compared to similar groups, according to Bitsight Threat Intelligence. Recent reporting connects TeamPCP to Vect, an emerging ransomware-as-a-service operation, and links the group to compromised developer and security tools including Trivy, KICS, LiteLLM, and the Telnyx Python SDK.

Primary Targets
  • Software vendors
  • SaaS companies
  • Cloud-native organizations
  • Open-source maintainers
  • DevOps teams
  • Platform engineering teams
  • Organizations using GitHub
  • Organizations using npm
  • Organizations using PyPI
  • Organizations using Docker
  • Organizations using GitHub Actions
  • Organizations using VS Code
  • Organizations using Kubernetes
  • Organizations using CI/CD workflows
  • Third-party software providers
  • Developer tooling vendors
Target Locations
  • Global
Target Sectors
  • Technology
  • Software
  • SaaS
  • Cloud Services
  • Open Source
  • Developer Tools
  • Third-Party Software
  • Supply Chain
Vulnerabilities

Compromised open-source packages

Compromised developer tools

Malicious VS Code extensions

Compromised GitHub repositories

Compromised CI/CD workflows

Stolen package publishing credentials

Stolen cloud credentials

Stolen SSH keys

Exposed Kubernetes credentials

Exposed .env secrets

Compromised npm packages

Compromised PyPI packages

Compromised Docker workflows

Compromised GitHub Actions workflows

CVE-2026-33634

CVE-2026-48027

CVE-2026-45321

Techniques
  • Supply Chain Compromise

  • Subvert Trust Controls

  • Unsecured Credentials

  • OS Credential Dumping

  • Exfiltration Over Web Service

  • Data Destruction

  • Create or Modify System Process

  • Escape to Host

  • Credential theft

  • Open-source package compromise

  • Developer tool compromise

  • CI/CD pipeline targeting

  • Package publishing workflow abuse

  • npm ecosystem abuse

  • PyPI ecosystem abuse

  • Malicious VS Code extension usage

  • Kubernetes lateral movement

  • Cloud credential harvesting

  • Repository exfiltration

  • Sensitive development data exfiltration

  • Use of stolen credentials to spread across packages or environments

  • AES-256 encryption during exfiltration

  • RSA-4096 encryption during exfiltration

  • Audio steganography

  • Self-replicating supply chain activity

  • Social engineering

  • Ransomware-as-a-service collaboration

Malware Tools
  • CipherForce
  • Vect
  • CanisterWorm
  • SANDCLOCK
  • Mini Shai-Hulud
  • Miasma
  • Trivy
  • KICS
  • LiteLLM
  • Telnyx Python SDK
  • xinference PyPI package
  • GitHub
  • npm
  • PyPI
  • Docker
  • GitHub Actions
  • VS Code
  • Kubernetes
Bitsight Contextualized Intelligence
  • TeamPCP targets developer workflows, packages, repositories, CI/CD systems, and cloud credentials to enable supply chain compromise, extortion, and ransomware activity.

Defensive Takeaways
  • Treat developer tooling as part of the attack surface

  • Restrict unapproved IDE extensions

  • Review installed VS Code extensions

  • Enforce least privilege for GitHub, npm, PyPI, Docker, and CI/CD credentials

  • Rotate credentials after suspected compromise

  • Scan repositories for hardcoded secrets

  • Monitor package updates for suspicious behavior

  • Use approved dependency lists or internal package mirrors

  • Harden Kubernetes access

  • Audit Kubernetes cluster secrets

  • Monitor dark web, paste, ransomware, and code repository sources for leaked assets

  • Treat developer workstations, package publishing accounts, and build systems as sensitive infrastructure

  • Maintain clean, disconnected backups to reduce risk from flawed ransomware encryption or unrecoverable data corruption

How Bitsight Helps

Understanding threat actor capabilities is only half the battle—the other half is knowing whether your organization is in their crosshairs. See how Bitsight threat intelligence helps you move from observation to action.

Request threat intel demo