ACCORDING to HackRead, TeamPCP began their credential-theft campaign on 19 March 2026 by injecting a credential stealer into Trivy, a popular code-scanning tool, via poisoned updates on GitHub and OpenVSX, allowing them to steal passwords and cloud access keys for AWS, Azure, and GCP as well as cryptocurrency wallet details from infected machines.
The attack expanded on 23 March 2026 when two of Checkmarx’s automated tools (KICS) and two code-editor plugins were compromised and briefly listed on OpenVSX, though the official VS Code Marketplace versions remained safe; users who downloaded the affected ast-results or cx-dev-assist plugins from OpenVSX were at risk.
The campaign reached LiteLLM on 24 March 2026, with poisoned LiteLLM versions 1.82.7 and 1.82.8 published to PyPI, and version 1.82.8 reportedly containing a hidden file that executes malware whenever Python starts, even if the tool is not opened. The post notes that the threat actors describe themselves as TeamPCP or Shellforce, with CipherForce described as a newer project, and states that they have been active in publishing data and writing malware. Read more at HackRead.