A new cyber campaign demonstrates how rapidly attacks on the software supply chain are evolving and how significant the impact can be when development environments are exploited. Researchers note that the relatively new group TeamPCP has quickly grown into a serious threat to organizations that use cloud platforms and open-source software.
According to Ars Technica, the group came to light late last year when it attacked vulnerable cloud environments with a worm capable of self-propagation. The motive was primarily financial. Infected systems were used for data theft, ransomware, and cryptomining. The scale and degree of automation were particularly striking.
In recent weeks, the campaign has entered a new phase. Researchers observed how TeamPCP gained access to development tools and software chains. A key moment was the compromise of the widely used Trivy scanner, after attackers gained access to the developer’s GitHub account. This allowed malicious code to be distributed via trusted software.
Malware has also emerged that spreads further via npm. Once a system becomes infected, the malware searches for access tokens and uses them to publish new versions of packages containing hidden malicious code. Developers can thus unwittingly contribute to further spread when they install infected dependencies. This process can quickly expand to other projects.
From a technical standpoint, it is notable that the attackers manage their infrastructure differently than usual. Instead of traditional command-and-control servers, they use a system based on the Internet Computer Protocol. This allows server locations to change constantly, while infected systems remain in contact with a dynamic network.
Targeted attack on systems in Iran
A notable development is the addition of a destructive component targeting Iran’s systems. When the malware detects that a system is located in that region or configured for it, no data is stolen; instead, a mechanism is activated that can render systems unusable. The exact impact is still unclear, but the potential for large-scale damage exists.
The choice of a specific region deviates from the group’s previous behavior, which appeared to be primarily financially motivated. Visibility or political signaling may now be playing a role. It is clear that the campaign continues to evolve rapidly.
For organizations that rely on CI/CD pipelines and open-source components, this underscores the importance of strict access control and monitoring. Tokens and automated deployment processes, in particular, pose a risk if they are not properly secured. A single vulnerability can be enough to infect a large number of systems.