Your Supply Chain Breach Is Someone Else's Payday

Recorded Future's Insikt Group is tracking a supply chain campaign by threat actor TeamPCP that compromised trusted software repositories (LiteLLM and Checkmarx) to harvest credentials at scale. Using a single stolen credential, the group injected malware into software packages and poisoned GitHub Actions workflows, cascading compromises across five ecosystems in five days. The stolen credentials enabled payroll redirection fraud and ransomware/extortion operations, with reports indicating possible collaboration with Lapsus$. The attack exploited implicit trust in software supply chains and incomplete credential rotation practices. Mitigation requires cryptographic signing of code, third-party due diligence, continuous credential rotation, and AI-driven anomaly detection to identify unauthorized access despite valid credentials.

A supply chain attack by TeamPCP compromised trusted software tools to harvest credentials at scale, enabling payroll fraud, logistics theft, and ransomware extortion.

Recorded Future's Insikt Group is tracking a supply chain campaign by threat actor TeamPCP that compromised trusted software repositories (LiteLLM and Checkmarx) to harvest credentials at scale. Using a single stolen credential, the group injected malware into software packages and poisoned GitHub Actions workflows, cascading compromises across five ecosystems in five days. The stolen credentials enabled payroll redirection fraud and ransomware/extortion operations, with reports indicating possible collaboration with Lapsus$. The attack exploited implicit trust in software supply chains and incomplete credential rotation practices. Mitigation requires cryptographic signing of code, third-party due diligence, continuous credential rotation, and AI-driven anomaly detection to identify unauthorized access despite valid credentials. A supply chain attack by TeamPCP compromised trusted software tools to harvest credentials at scale, enabling payroll fraud, logistics theft, and ransomware extortion. TeamPCP exploited a single stolen credential to gain write access to trusted software repositories, inject credential-harvesting malware, and cascade across five ecosystems in five days. Stolen credentials can enable payroll redirection, freight rerouting, and extortion — active campaigns Insikt Group is tracking that show how a software supply chain breach can quickly become a business operations crisis. Learn why an inventory of your software components isn't enough when malicious code is injected after the source commit, and what a truly effective defense — combining third-party due diligence. cryptographic signing, and AI-driven anomaly detection — actually requires. In March 2026, a group calling itself TeamPCP compromised LiteLLM (a Python package with roughly 97 million monthly downloads used by thousands of organizations to connect to AI services) and Checkmarx (one of the most widely used application security testing platforms on the planet). How they got in isn’t publicly confirmed. But the result was write access to a trusted software repository. From there, they injected a credential-harvesting payload into the software and poisoned two Checkmarx GitHub Actions workflows . The malware ran silently on installation, vacuuming up access keys, cloud credentials, secrets, and (the cruelest irony) every AI API key that LiteLLM was specifically designed to manage. The stolen data was encrypted, then pushed to a lookalike domain. And here is the part that should keep you up at night: this was one campaign, by one group, in one week. The downstream consequences are still unfolding. Identity Is the Perimeter (and the Attack Surface) The throughline in the TeamPCP campaign is identity. Start to finish. TeamPCP intelligence summary courtesy of Recorded Future. No one has publicly confirmed exactly how TeamPCP gained access to the LiteLLM maintainer’s repository, but the most likely vector is stolen credentials. Recorded Future’s identity intelligence contains almost 1 million compromised GitHub developer credentials harvested by infostealers and sold across dark web marketplaces. A single publishing token or access key, lifted from a prior infection and left unrotated, would have been sufficient. TeamPCPs’ earlier compromise of Aqua Security’s Trivy infrastructure in late February (where incomplete credential rotation left residual access open for weeks) demonstrates exactly this pattern: one stolen token, one missed rotation, and the door stays open. Whatever the precise mechanism, TeamPCP used valid credentials to push malicious code into trusted repositories. No firewall to bypass. No endpoint to exploit. Just a valid login and the implicit trust that comes with it. Then the payload itself was designed to steal more identities. Each compromised environment yielded credentials that unlocked the next target. Trivy led to GitHub Actions. GitHub Actions led to four additional software distribution ecosystems . One incomplete incident response created a cascading chain of supply chain compromises across five ecosystems in five days. This is the identity and access management problem stated as plainly as possible: if the perimeter is identity, then every stolen credential is a breach in the wall. And unlike a firewall rule, a stolen credential doesn’t trigger an alert. It just works. We previously wrote about how deserialization vulnerabilities have plagued enterprise software for over a decade. The pattern is always the same: trusting input that should not be trusted. Supply chain attacks are the organizational equivalent. We trust the packages we install. We trust the pipelines we build. We trust the security tools we deploy. TeamPCP exploited every layer of that trust, starting with a single compromised identity. The Impact Is Not Just Ransomware TeamPCPs’ Telegram channel references a ransomware victim’s site . The group appears to operate as a ransomware affiliate and has publicly discussed extorting companies by...