THREAT actors known as TeamPCP have launched a multi‑stage supply chain operation that compromised trusted security tools and injected malicious code into popular package registries, putting hundreds of thousands of machines at risk. The campaign, observed between late February and March 2026, turned utilities such as Aqua Security’s Trivy and Checkmarx’s KICS into unwitting carriers of infostealer payloads.
Researchers from Unit 42 found that the attackers poisoned GitHub Actions workflows and uploaded tampered versions of the Aqua Trivy, Checkmarx KICS and LiteLLM packages to PyPI, embedding a malicious WAV file that dropped a Windows startup executable or launched a hard‑coded Python script on macOS and Linux. The rogue Telnyx Python SDK versions 4.87.1 and 4.87.2, also hosted on PyPI, contained the same WAV‑based dropper and used an RSA public key identical to earlier TeamPCP infections to encrypt stolen cloud tokens, SSH keys and Kubernetes secrets before exfiltration. The campaign also introduced a worm dubbed CanisterWorm that spreads through container images, attempting to propagate the stealer to downstream builds.
According to telemetry from Unit 42 and corroborating reports from Akamai, the operation has compromised more than 500 000 machines, exfiltrated roughly 300 GB of sensitive data and affected sixteen organisations directly, while forty‑seven additional packages across various namespaces were found to be tainted. SecurityWeek noted that the malicious SDK versions targeted Windows, macOS and Linux systems, with the WAV file acting as a versatile dropper for each platform.
Beyond the initial theft, threat intelligence from Wiz shows that the harvested credentials are being replayed in live cloud environments to spin up illicit resources and move laterally, indicating a shift from pure data theft to active intrusion. This post‑compromise phase suggests that the stolen secrets are being used to establish footholds in victim infrastructures.
Organisations should immediately audit any recent installations of Trivy, KICS, LiteLLM or the Telnyx SDK, verify package signatures and hashes against trusted sources, and remove any suspicious GitHub Actions workflows that call external scripts or upload artefacts. Enabling dependency verification tools and reviewing build logs for unexpected network calls can help catch similar tampering early.
Security teams are encouraged to enforce signed commits, rely on provenance checks such as Sigstore or SLSA, rotate any credentials that may have been exposed, monitor outbound connections for unusual DNS or HTTP traffic, and maintain an up‑to‑date software bill of materials to spot compromised dependencies fast. Sharing indicators of compromise with trusted peers and updating container image scanners to flag the CanisterWorm signature will further limit the blast radius.