The TeamPCP supply chain campaign represents a sophisticated and evolving threat targeting software supply chains and cloud environments. It began with the compromise of LiteLLM versions 1.82.7 and 1.82.8, which were distributed with malicious code enabling credential harvesting. The campaign’s first confirmed victim, Mercor AI, disclosed a breach involving exfiltration of approximately 4TB of data, including source code, user databases, and biometric identity verification documents. Initial access was gained through compromised Tailscale VPN credentials, highlighting the use of stolen credentials for lateral movement. Post-compromise, TeamPCP employs tools like TruffleHog to validate stolen AWS, Azure, and SaaS credentials rapidly, followed by aggressive enumeration of cloud resources such as IAM roles, EC2 instances, Lambda functions, RDS databases, S3 buckets, and ECS clusters. The group’s use of conspicuous resource names like "pawn" and "massive-exfil" suggests either operational recklessness or psychological intimidation tactics. The campaign’s cloud targeting is predominantly Azure (61%) and AWS (36%). Additionally, the axios npm package compromise was attributed to North Korean UNC1069, which used a malicious macOS Mach-O binary payload overlapping with the WAVESHAPER backdoor. Although UNC1069 executed the axios attack, the npm token used was likely harvested by TeamPCP’s credential theft operations, indicating a shared credential ecosystem exploited by multiple threat actors. The campaign currently affects five major ecosystems: GitHub Actions, PyPI, npm, Docker Hub/GHCR, and OpenVSX, with a recent pause in new package compromises lasting approximately eight days. Forensic audits have confirmed no additional compromised LiteLLM versions beyond the known malicious releases. The campaign’s operational tempo, credential exploitation, and cloud enumeration activities pose significant risks to confidentiality, integrity, and availability of affected organizations’ data and infrastructure.

The TeamPCP campaign’s impact is substantial and multifaceted. Organizations using compromised LiteLLM versions face confirmed data breaches involving sensitive intellectual property, user data, and biometric identity information, raising severe privacy and regulatory concerns under GDPR, CCPA, and potentially HIPAA. The theft and exploitation of VPN credentials and cloud access tokens enable attackers to conduct extensive reconnaissance and potentially deploy ransomware or other malicious payloads, threatening operational continuity and data integrity. The campaign’s focus on cloud environments, especially Azure and AWS, means that organizations heavily reliant on these platforms are at risk of unauthorized access, data exfiltration, and service disruption. The involvement of nation-state actors like North Korea in related supply chain compromises further elevates the threat landscape, introducing geopolitical risk and increasing the likelihood of targeted attacks against critical infrastructure and technology sectors. The campaign’s broad ecosystem reach and credential reuse amplify the potential for widespread compromise, extortion, and long-term persistence within victim environments.

Organizations should immediately rotate all credentials associated with LiteLLM versions 1.82.7 and 1.82.8, including VPN credentials, cloud access tokens, and API keys, prioritizing those accessible in compromised environments. Continuous monitoring of cloud audit logs is critical to detect unauthorized IAM enumeration, EC2/ECS/Lambda discovery calls, and S3 bucket listing operations, especially those originating from unfamiliar principals. Security teams should implement detection rules for rapid sequential API calls indicative of TruffleHog validation attempts and monitor for resource names containing strings like "pawn" or "massive-exfil". Employing least privilege principles for cloud credentials and enforcing multi-factor authentication on VPN and cloud access can reduce attack surface. Incident response teams should review the detailed Wiz CIRT report for actionable indicators of compromise and adapt threat hunting accordingly. For npm users, verify package integrity and block known malicious domains and IPs associated with the axios compromise. Organizations should maintain strict supply chain security hygiene, including forensic validation of software releases and rapid response to disclosed compromises. Collaboration with government advisories, such as those from Singapore CSA and CISA, is recommended to stay updated on emerging threats and remediation deadlines.