teampcp

The 48-Hour Secrets Sprint: How Three Registries Were Swept in One Weekend

John Z Black Apr 23, 2026

Threat Intelligence #supply-chain #npm #pypi #teampcp #xinference #canisterworm #checkmarx-kics #secrets-theft #devsecops

A coordinated 48-hour sprint hit npm, PyPI, and Docker Hub, targeting developer secrets at scale. From infected AI libraries to a trojanized security scanner, the supply chain is moving faster than your detection.

The AI Training Pipeline Just Became a High-Value Target

John Z Black Apr 6, 2026

Incidents & Breaches #supply-chain #ai-security #litellm #mercor #lapsus$ #teampcp

A trojanized LiteLLM package hit Mercor, the AI training vendor shared by OpenAI, Anthropic, and Meta, exposing the massive concentration risk in the AI supply chain.

TeamPCP's Criminal Empire Is Growing and Nobody Agrees Who's Running It

John Z Black Apr 5, 2026

Ransomware & Cybercrime #teampcp #canisterworm #supply-chain #ransomware #vect #shinyhunters #lapsus

TeamPCP has evolved from cloud extortion to a criminal franchise operation with a wiper targeting Iran, a ransomware partnership with 300K affiliates, and public feuds with other threat actors.

TeamPCP Hacked the European Commission Through a Security Scanner

John Z Black Apr 4, 2026

Incidents & Breaches #teampcp #european-commission #supply-chain #shinyhunters #cert-eu

TeamPCP breached the European Commission via a poisoned version of Trivy. Data from 30+ EU entities got exposed. ShinyHunters leaked it all. The irony of a security tool being the attack vector writes itself.

TeamPCP's First Confirmed Victim Lost Passport Scans and Video Interviews

John Z Black Apr 2, 2026

Incidents & Breaches #teampcp #supply-chain #mercor #lapsus #data-breach #biometric-data #litellm

AI hiring platform Mercor confirmed a breach tied to the LiteLLM compromise. The stolen data includes passport scans and video interviews you can't exactly rotate like a password.

The Week Toolchain Trust Collapsed, Again

John Z Black Mar 30, 2026

Threat Intelligence #weekly-recap #supply-chain #teampcp #ai-security #authentication #iran #healthcare #bpfdoor #privacy

TeamPCP kept hitting developer tooling. AI attack surfaces went from theoretical to exploited. Attackers logged in instead of breaking in. And Iran went after the FBI director's personal inbox.

TeamPCP Is Back. Now It's Deploying Ransomware Through Your AI Libraries.

John Z Black Mar 30, 2026

AI Security #supply-chain #teampcp #litellm #telnyx #ransomware #python #steganography #ai-security

The supply-chain group that poisoned Trivy last week just hit LiteLLM and the Telnyx SDK, hid their payload in WAV audio files, and announced a ransomware affiliate partnership.

TeamPCP Is Not a Hacker Group Anymore. It's a Cloud Crime Platform.

John Z Black Mar 28, 2026

Ransomware & Cybercrime #teampcp #canisterworm #vect #ransomware #supply-chain #blockchain #icp #pypi #cloud-security

TeamPCP has graduated from opportunistic attacker to full-spectrum criminal platform -- with blockchain C2 that law enforcement can't seize and a live ransomware affiliate program that costs $250 to join.

CanisterWorm: TeamPCP Hides Its C2 on a Blockchain You Can't Take Down

John Z Black Mar 26, 2026

Threat Intelligence #teampcp #malware #blockchain #supply-chain #iran #wiper #kubernetes

TeamPCP's new wiper, CanisterWorm, uses an ICP blockchain canister as its C2 resolver -- no domain to seize, no server to kill. And it now runs on any system, not just Kubernetes.

The Trivy Domino: How One Poisoned Security Tool Spread to a Thousand Cloud Environments

John Z Black Mar 25, 2026

Threat Intelligence #supply-chain #trivy #litellm #kubernetes #teampcp #cloud-security #ci-cd

A poisoned Trivy Docker image grew into one of the year's worst CI/CD compromises. Thousands of pipelines ran the payload, LiteLLM got backdoored on PyPI, and the attackers built a three-part kit designed to hit Kubernetes clusters and stay.

CanisterWorm: How TeamPCP Hijacked Your Security Scanners and Built an Untakeable Botnet

John Z Black Mar 24, 2026

Threat Intelligence #supply-chain #teampcp #canisterworm #kubernetes #ci/cd #npm #trivy #kics #wiper

TeamPCP compromised Trivy and KICS CI/CD scanner tags, spread CanisterWorm to 47 npm packages, and deployed a Kubernetes wiper targeting Iranian timezones -- all controlled via blockchain C2 that can't be taken down.