A rare conversation with the self‑described leader of TeamPCU, a financially motivated cybercrime group that has compromised half‑a‑million cloud instances and dozens of SaaS platforms through automated supply‑chain attacks. The interview reveals their loose hierarchy, the origins of their name, their tactics—from the PCPcat worm to the CanisterWorm supply‑chain cascade—and how they monetize stolen credentials while evading detection.
Inside the Cloud‑Native Crime Syndicate: An Interview with TeamPCP
TeamPCP (also known as PCPcat, ShellForce, or DeadCatx3) has been described by security researchers as the most prolific supply‑chain threat actor of 2026, compromising over 500,000 machines and more than a thousand SaaS environments. In a candid interview, the group’s self‑identified “leader” explains how they operate, why they chose their name, and what their long‑term objectives are.
Who is TeamPCP and what do they do?
TeamPCP describes itself as a loose collective of malware developers and cloud‑native threat actors. Their primary goal is to harvest credentials at scale, using worm‑like malware to infiltrate development pipelines, cloud‑native tooling, and container registries. The first publicly linked campaign, PCPcat, exploited the React2Shell vulnerability (CVE‑2025‑55182) in December 2025, compromising roughly 59,000 servers in under 48 hours and exfiltrating SSH keys, .env files, and cloud API tokens.
The group emphasizes a decentralized structure: there is no rigid hierarchy, and leadership is more symbolic than operational. This design, they argue, limits the impact of arrests—if a member is taken, the remaining operators can simply continue under a different alias.
The meaning behind the name
The alias “PCP” references a dissociative hallucinogen. According to the interviewee, many members are former addicts who view cybercrime as a therapeutic outlet that keeps them sober and gives them a sense of purpose. The “rush” of dumping loot mirrors the drug’s euphoric high, a metaphor that the group does not endorse but acknowledges as part of their culture. The name also pays homage to the earlier TeamTNT collective, from whom they learned much of their early tradecraft.
From worm to supply‑chain juggernaut
Security researchers have dubbed CanisterWorm the biggest supply‑chain attack of 2026. The operation unfolded in several stages:
- Initial foothold – The team compromised Aqua Security’s Trivy scanner after a separate automated breach in February 2026. Poor credential rotation left persistent access.
- Malicious injection – They inserted a custom binary named TeamPCP Cloud Stealer into Trivy’s build pipeline. The code executed before the scan, allowing the malware to run undetected while the scanner reported a clean result.
- Cascade through ecosystems – Leveraging the compromised scanner, the group poisoned Docker Hub images, npm packages (66+), Checkmarx KICS, VS Code extensions, LiteLLM on PyPI, and even audio payloads in Telnyx. Each compromised artifact served as a new distribution vector, creating a transitive dependency snowball across the software supply chain.
- Final target: Bitwarden – A specially crafted payload (
bw1.js) was delivered via a compromised Bitwarden release. The script checks for Russian locales to avoid law‑enforcement scrutiny, then exfiltrates stored vault data using the previously harvested cloud credentials.
The interviewee stresses that the cascade was expected, not accidental. “Transitive dependencies are everywhere; once you have a foothold in a build tool, you can pivot to any downstream ecosystem.”
Technical details of the “Cloud Stealer”
The TeamPCP Cloud Stealer is a refactored version of the original PCPcat stealer. Its main components are:
- Memory‑parser runner that extracts active cloud SDK credentials from running processes.
- Hybrid encryption (AES‑256 for payload, RSA‑4096 for key exchange) to obfuscate exfiltrated data.
- Signed binary poisoning – By modifying the GitHub Actions workflow that builds Trivy, the team injected their code into a signed release, making detection by traditional signature‑based tools extremely difficult.
Despite its relative simplicity, the tool is effective because it operates on the developer’s workstation, where credentials are often cached in plaintext or environment variables.
Scale and impact
- 500,000+ compromised machines (including many Fortune 500 environments).
- 1,000+ SaaS platforms breached, providing access to databases, data warehouses, and CI/CD pipelines.
- CERT‑EU breach – The European Commission’s AWS environment was accessed via the compromised Trivy tool, resulting in 340 GB of data stolen from 42 EU departments. The breach was later publicized through a leak site operated by ShinyHunters, who attempted to extort the group before ultimately scamming them.
The interviewee admits that many victims remain unaware of the intrusion, especially those lacking robust credential‑rotation policies.
Operational security and preparation
TeamPCP spends approximately two weeks between major waves, using that time to experiment with new malware, test C2 channels, and let public attention subside. Their preparation includes:
- Dry‑run accounts created days before a release (e.g., a GitHub account used to test Bitwarden payloads).
- Offline validation of stolen keys using tools like
trufflehogwith the--no-verificationflag to avoid triggering alerts. - Strict vetting of core members; the group reports zero leaks from within the inner circle.
Collaboration with other cybercrime groups
The interview reveals a networked ecosystem where groups such as xploitrs, Vect, and ShinyHunters intersect. Trust is built slowly through private chats, and collaborations often emerge organically when overlapping interests are identified. While Vect’s ransomware‑as‑a‑service (RaaS) suffers from a broken encryption scheme, TeamPCP maintains its own proprietary locker—a closed‑source, locally‑encrypted storage system for stolen data that has no public samples.
Monetization strategy
TeamPCP does not sell data directly. Instead, they broker access through third parties, ensuring that the financial trail does not point back to the core operators. The group also runs a private tool called Cipherforce, which has been used against at least 15 companies but remains unreleased to the public.
Reflections on risk and future direction
Although no arrests have been made against TeamPCP, Vect, or xploitrs, the interviewee acknowledges the ever‑present risk of exposure. They employ disinformation tactics, leaking false intel to monitor who is watching and to gauge law‑enforcement interest. The group’s long‑term aim appears to be maintaining a foothold in the high‑value segment of the cloud ecosystem, while deliberately avoiding smaller targets such as hospitals, NGOs, or startups.
“If you are a multi‑billion‑dollar or large Israeli company, we are gunning for you and we will not stop.”
Implications for defenders
- Supply‑chain hygiene is critical – Organizations must treat build pipelines as high‑value assets, enforce strict credential rotation, and verify the integrity of every third‑party binary.
- Signed release verification – Even signed artifacts can be compromised if the signing process itself is poisoned. Implement reproducible builds and independent verification of signatures.
- Credential exposure monitoring – Continuous scanning for leaked keys (e.g., via
trufflehog) should be paired with automated revocation and rotation. - Threat‑intel sharing – The rapid diffusion of tactics across groups underscores the need for real‑time information sharing between industry and government.
The interview provides a rare glimpse into the mindset and methodology of a modern, cloud‑native crime syndicate. As supply‑chain attacks become increasingly automated, defenders must adopt equally sophisticated, layered defenses to stay ahead of actors who view the cloud not as a service, but as a limitless hunting ground.
Comments
Please log in or register to join the discussion