Space Rogue6h ago
Is anyone else getting anti-Sec vibes from #teampcp ???
The Threat Codex7h ago
KICS GitHub Action Compromised: TeamPCP Strikes Again in Supply Chain Attack
#TeamPCP
https://www.wiz.io/blog/teampcp-attack-kics-github-action
KICS GitHub Action Compromised: TeamPCP Supply Chain Attack | Wiz Blog

Checkmarx KICS Github Action hijacked by TeamPCP. Audit workflows for the "docs-tpcp" repo and "checkmarx.zone" C2. Learn how to secure your environment.

wiz.io
Ars Technica News9h ago
Self-propagating malware poisons open source software and wipes Iran-based machines https://arstechni.ca/p5nu #Security #malware #teampcp #Biz&IT #worm
Self-propagating malware poisons open source software and wipes Iran-based machines

Development houses: It's time to check your networks for infections.

Ars Technica
Rene Robichaud1d ago

TeamPCP deploys Iran-targeted wiper in Kubernetes attacks
https://www.bleepingcomputer.com/news/security/teampcp-deploys-iran-targeted-wiper-in-kubernetes-attacks/

#Infosec #Security #Cybersecurity #CeptBiro #TeamPCP #KubernetesAttacks

TeamPCP deploys Iran-targeted wiper in Kubernetes attacks

The TeamPCP hacking group is targeting Kubernetes clusters with a malicious script that wipes all machines when it detects systems configured for Iran.

BleepingComputer
Niclas1d ago

The most interesting supply chain attack I've ever seen: #trivy

The attack is really bizarre. I learned a lot about GitHub Actions and how the attack was performed.

- https://www.aquasec.com/blog/trivy-supply-chain-attack-what-you-need-to-know/
- https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation
- https://ramimac.me/trivy-teampcp/#timeline
- https://snyk.io/articles/trivy-github-actions-supply-chain-compromise/

#cybersecurity #supplychain #github #glassworm #githubactions #attack #TeamPCP #c2

Update: Ongoing Investigation and Additional Activity

Open Source Security Advisory Update: Monday, March 23, 2026 Boston, MA 2:00 AM ET  We are providing this update to share new developments identified during our ongoing investigation into the Trivy open source incident described below.  Over the weekend, the Trivy team continued analysis of the previously reported incident and started implementing additional security measures across repositories and automation …

Aqua
KrebsOnSecurity RSS1d ago

‘CanisterWorm’ Springs Wiper Attack Targeting Iran

https://krebsonsecurity.com/2026/03/canisterworm-springs-wiper-attack-targeting-iran/

#InternetComputerProtocol #Ne'er-Do-WellNews #ALittleSunshine #LatestWarnings #TheComingStorm #CatalinCimpanu #CharlieEriksen #AquaSecurity #CanisterWorm #Ransomware #AssafMorag #TeamPCP #Aikido #Flare #Trivy #ICP

‘CanisterWorm’ Springs Wiper Attack Targeting Iran – Krebs on Security

Winbuzzer1d ago

https://winbuzzer.com/2026/03/23/trivy-breach-pushed-infostealer-via-github-actions-xcxwbn/

Trivy Breached Twice in a Month via GitHub Actions

#GitHub #GitHubActions #Cybersecurity #Malware #Cybercrime #SecurityBreach #OpenSource #Hackers #npm #Javascript #SoftwareDevelopment #CloudComputing #DataBreaches #Trivy #AquaSecurity #TeamPCP #CanisterWorm

N-gated Hacker News1d ago
🚨 Oh no, not another "supply chain attack"! This time, our heroes, #TeamPCP, have turned Aqua Security's Trivy into a #malware vending machine. 🛒 But don't worry, folks, just a quick #audit will fix everything—because nothing says "secure" like a last-minute scramble. 😂🔒
https://www.wiz.io/blog/trivy-compromised-teampcp-supply-chain-attack #supplychainattack #security #AquaSecurity #HackerNews #ngated
Trivy Compromised by "TeamPCP" | Wiz Blog

Breaking down the March 2026 Trivy supply chain attack. TeamPCP compromised trivy + trivy-action & setup-trivy GitHub Actions, deploying credential stealers.

wiz.io
Miguel Afonso CaetanoFeb 9

"Cybersecurity researchers have called attention to a "massive campaign" that has systematically targeted cloud native environments to set up malicious infrastructure for follow-on exploitation.

The activity, observed around December 25, 2025, and described as "worm-driven," leveraged exposed Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers, along with the recently disclosed React2Shell (CVE-2025-55182, CVSS score: 10.0) vulnerability. The campaign has been attributed to a threat cluster known as TeamPCP (aka DeadCatx3, PCPcat, PersyPCP, and ShellForce).

TeamPCP is known to be active since at least November 2025, with the first instance of Telegram activity dating back to July 30, 2025. The TeamPCP Telegram channel currently has over 700 members, where the group publishes stolen data from diverse victims across Canada, Serbia, South Korea, the U.A.E., and the U.S. Details of the threat actor were first documented by Beelzebub in December 2025 under the name Operation PCPcat.

"The operation's goals were to build a distributed proxy and scanning infrastructure at scale, then compromise servers to exfiltrate data, deploy ransomware, conduct extortion, and mine cryptocurrency," Flare security researcher Assaf Morag said in a report published last week."

https://thehackernews.com/2026/02/teampcp-worm-exploits-cloud.html

#CyberSecurity #TeamPCP #Ransomware #CloudComputong #Cryptocurrencies

TeamPCP Worm Exploits Cloud Infrastructure to Build Criminal Infrastructure

Worm-driven TeamPCP campaign exploits Docker, Kubernetes, Redis, Ray, and React2Shell to build proxy infrastructure for data theft and ransomware.

The Hacker News