Summary
Key Points:
- TeamPCP, a threat group, executed a multi-stage supply chain attack targeting widely used security tools, including Aqua Security Trivy and Checkmarx KICS, injecting malicious payloads into CI/CD pipelines.
- The attack has compromised over 500,000 machines and exfiltrated more than 300 GB of sensitive data, including cloud tokens and Kubernetes secrets, posing significant risks to major organizations.
- Immediate actions include auditing CI/CD pipelines, GitHub Personal Access Tokens (PATs), and cloud provider credentials to mitigate risks associated with these supply chain threats.
Technical Details: The attacks involved exploiting vulnerabilities in open-source tools and using techniques such as credential harvesting via scripts that bypassed security measures. Notably, the React2Shell vulnerability (CVE-2025-55182) was leveraged for initial access.
MITRE ATT&CK Techniques:
- T1078 - Valid Accounts (Defense Evasion)
- T1190 - Exploit Public-Facing Application (Initial Access)
- T1059.001 - Command and Scripting Interpreter: PowerShell (Execution)
- T1021.007 - Remote Services: Remote API (Lateral Movement)
- T1041 - Exfiltration Over Command and Control Channel (Exfiltration)
IOCs Mentioned:
- IP Addresses: 23.142.184[.]129, 45.148.10[.]212, 63.251.162[.]11
- Domains: checkmarx[.]zone, models.litellm[.]cloud, scan.aquasecurtiy[.]org
This summary provides actionable intelligence on the recent TeamPCP supply chain attacks and outlines necessary mitigations for affected organizations.
Join the discussion — sign up to comment, upvote, and save articles.