In the final two weeks of March 2026, two distinct nation-state-aligned threat actors struck the developer toolchain in rapid succession, producing one of the most consequential software supply chain attack waves ever observed. Between March 19 and March 27, the actor tracked as TeamPCP — also designated UNC6780 by Google's Threat Intelligence Group and operating under aliases PCPcat, ShellForge, and DeadCatx3 — executed a cascading campaign against widely used security scanning and AI/ML developer tooling, compromising Aqua Security's Trivy vulnerability scanner, Checkmarx's KICS static analysis tool, the LiteLLM AI gateway library, and the Telnyx Python SDK, before propagating a self-replicating worm across more than 47 npm packages. Four days later, on March 31, a separate threat actor designated UNC1069 — a financially motivated, North Korea-nexus group attributed by Google's Mandiant unit — executed a targeted social engineering and supply chain compromise of the axios npm package, one of the most downloaded JavaScript libraries in the world with approximately 100 million weekly downloads, delivering the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux systems.
The TeamPCP campaign is anchored by CVE-2026-33634, with a CVSS v4.0 score of 9.4 and CVSS v3.1 score of 8.8, which arose from the exploitation of an incomplete credential rotation at Aqua Security. TeamPCP force-pushed malicious commits across 76 of 77 version tags in the aquasecurity/trivy-action repository, planting an evolving credential-harvesting malware family that culminated in CanisterWorm — a cloud-native implant using Decentralized Internet Computer Protocol (ICP) canisters for censorship-resistant command-and-control. The LiteLLM compromise introduced a three-stage payload architecture with a novel persistence mechanism via a Python .pth file that executed malicious code on every Python interpreter invocation, while the Telnyx SDK compromise used WAV audio file steganography to conceal and deliver encrypted second-stage payloads. The concurrent UNC1069 Axios attack injected a malicious npm dependency (plain-crypto-js@4.2.1) into two axios patch releases through a compromised maintainer account, delivering a cross-platform remote access trojan with a 60-second C2 beacon interval. Some third-party reporting has incorrectly attributed the Axios attack to TeamPCP; the two actors have distinct infrastructure, malware families, and tradecraft, and no technical connection between the campaigns has been established by authoritative sources.
Both TeamPCP and UNC1069 represent confirmed in-the-wild exploitation. CVE-2026-33634 is listed in the CISA Known Exploited Vulnerabilities Catalog with a remediation deadline of April 9, 2026. TeamPCP has announced operational partnerships with CipherForce and Vect ransomware groups, signaling that the estimated 300 GB of credentials and 500,000 machine compromise is being actively monetized through follow-on ransomware intrusions. The Axios attack exposed every environment that installed the malicious package during its approximately three-hour live window on March 31, and any system affected should be treated as fully compromised regardless of whether active C2 communication was observed.
CVE-2026-33634, with a CVSS v4.0 score of 9.4 (CRITICAL) and CVSS v3.1 score of 8.8 (HIGH), is classified under CWE-506 (Embedded Malicious Code) and constitutes the primary supply chain vulnerability in the TeamPCP campaign. On March 19, 2026, TeamPCP leveraged credentials associated with Aqua Security's aqua-bot automation account — obtained through an incomplete credential rotation following a minor breach in late February — to force-push malicious commits across 76 of 77 version tags in aquasecurity/trivy-action, all 7 tags in aquasecurity/setup-trivy, and to publish malicious Docker Hub images tagged v0.69.5 and v0.69.6. Any CI/CD pipeline that pinned a mutable version tag and ran during the exposure window executed the TeamPCP Cloud Stealer payload. The malware evolved through three generations: version 1, a 150-line bash script that harvested cloud credentials via AWS/GCP/Azure IMDS bypass and read process memory directly from /proc/pid/mem to circumvent GitHub secret masking; version 2, a 15-line bash loader that downloaded a Python second stage (kube.py) with self-deletion capability; and version 3 (CanisterWorm), a self-replicating cloud-native implant that used ICP canisters for censorship-resistant C2, masqueraded as systemd and pgmon, and carried a destructive Kubernetes wiper component. Fixed releases: trivy-action 0.35.0 or later, setup-trivy 0.2.6 or later.
Following the Trivy compromise, TeamPCP used stolen GitHub Personal Access Tokens to propagate to Checkmarx's KICS GitHub Action (March 21) and to LiteLLM versions 1.82.7 and 1.82.8 on PyPI (March 23). The LiteLLM attack introduced a sophisticated three-stage payload: a Stage 1 orchestrator encrypting harvested credentials with AES-256-CBC plus RSA-4096 OAEP key wrapping and exfiltrating them to models.litellm.cloud as tpcp.tar.gz; a 332-line Stage 2 credential harvester collecting SSH keys, cloud credentials, Kubernetes secrets, .env files, database configs, shell histories, /etc/passwd, and /etc/shadow, and deploying privileged Kubernetes pods named node-setup-{node_name} to every cluster node via kube-system with hostPID, hostNetwork, and full host filesystem access; and a Stage 3 persistence backdoor installed as ~/.config/sysmon/sysmon.py with a systemd service (sysmon.service) polling checkmarx.zone/raw every 50 minutes with a kill switch triggered by "youtube.com" in the server response. Version 1.82.8 additionally planted litellm_init.pth (34,628 bytes; SHA256: 71e35aef03099cd1f2d6446734273025a163597de93912df321ef118bf135238) in Python site-packages, ensuring payload execution on every Python interpreter invocation. The Telnyx SDK compromise (versions 4.87.1 and 4.87.2, March 27) used WAV audio steganography to conceal encrypted second-stage payloads within hangup.wav (Windows) and ringtone.wav (Linux). Using the Nord Stream GitHub Actions exploitation tool, TeamPCP also created malicious workflows, deleted execution logs, and propagated CanisterWorm to 47+ npm packages within @emilgroup, @opengov, and @v7 namespaces in a 60-second propagation window.
CVE-2025-55182, with a CVSS v3.1 score of 10.0 (CRITICAL), is a pre-authentication remote code execution vulnerability in React Server Components affecting versions 19.0.0 through 19.2.0, exploited by TeamPCP as a complementary initial access vector. Applications using React Server Components are vulnerable even without explicitly implemented Server Function endpoints. Fixed versions (React 19.0.1, 19.1.2, 19.2.1) were released in December 2025 and the CVE is listed in the CISA KEV Catalog with a December 12, 2025, compliance deadline.
The Axios npm attack, associated with GitHub Advisory GHSA-2x9r-6wxq-hrr7 (CWE-506, no CVE assigned), was executed by UNC1069, a North Korea-nexus actor linked to the Lazarus Group using the WAVESHAPER backdoor family. The attacker conducted a multi-week social engineering campaign against an axios maintainer, deploying a RAT to gain persistent system access that bypassed npm two-factor authentication. On March 31, 2026, the attacker published axios@1.14.1 and axios@0.30.4, injecting a dependency on plain-crypto-js@4.2.1 whose npm postinstall hook fetched and executed platform-specific WAVESHAPER.V2 payloads from sfrclak[.]com:8000. The macOS variant is classified as NukeSped by four independent antivirus engines, a malware family exclusively attributed to the Lazarus Group. Both malicious versions were live for approximately three hours. Safe downgrade targets: axios@1.14.0 (1.x users) or axios@0.30.3 (0.x users).
Organizations running CI/CD pipelines that consumed affected Trivy or KICS GitHub Actions between March 19-27, or that installed LiteLLM 1.82.7/1.82.8 or Telnyx Python SDK 4.87.1/4.87.2, face a high likelihood of complete cloud credential exfiltration including AWS, GCP, and Azure credentials, Kubernetes service account tokens, SSH private keys, LLM API keys, and production secrets. The LiteLLM Kubernetes lateral movement mechanism — privileged pods deployed to every node via kube-system with full host filesystem access — means organizations may retain persistent backdoors at the cluster layer even after removing the malicious packages. The sysmon.service persistence backdoor polling checkmarx.zone/raw every 50 minutes represents an active access channel on any unremediated Linux system. TeamPCP's ransomware partnerships with CipherForce and Vect substantially increase the probability of follow-on destructive attacks. Organizations that installed axios@1.14.1 or axios@0.30.4 should treat those systems as fully compromised; the WAVESHAPER.V2 RAT provides arbitrary command execution across all major platforms, and the macOS NukeSped variant — while lacking boot persistence — may have exfiltrated secrets during its live window.
From a compliance and regulatory perspective, both attacks trigger breach notification obligations under GDPR, CCPA, HIPAA, and equivalent frameworks for organizations whose systems processed regulated data in affected environments. The CISA KEV deadline of April 9, 2026, for CVE-2026-33634 creates a hard compliance checkpoint for federal agencies and contractors. Organizations operating under NIST SP 800-53 (SA-12, SR-4), FedRAMP, or CMMC must document remediation of the CI/CD pipeline compromise class exploited in these attacks. The Axios attack's scope — affecting 174,000 npm-dependent packages — requires supply chain risk management frameworks to account for social engineering against package maintainers, a vector that bypasses all technical repository controls.
Organizations should immediately take the following actions to address exposure from both campaigns.
1. For the TeamPCP campaign: rotate all secrets, API keys, cloud credentials, PATs, and Kubernetes service account tokens accessible to any CI/CD environment that may have run Trivy, KICS, LiteLLM 1.82.7/1.82.8, or Telnyx Python SDK 4.87.1/4.87.2 between March 19-27, 2026; update trivy-action to 0.35.0 or later and setup-trivy to 0.2.6 or later; remove affected LiteLLM and Telnyx versions; scan Python site-packages for litellm_init.pth or any unexpected .pth files; audit Kubernetes kube-system namespace for node-setup-{node_name} pods and check for the sysmon.py persistence backdoor at ~/.config/sysmon/ and the associated sysmon.service systemd unit.
2. For the Axios attack: downgrade to axios@1.14.0 or axios@0.30.3; remove plain-crypto-js from all environments; check for WAVESHAPER.V2 artifacts (macOS: /Library/Caches/com.apple.act.mond; Windows: %PROGRAMDATA%\wt.exe, system.bat; Linux: /tmp/ld.py); review network logs for connections to sfrclak[.]com or 142.11.206.73 on port 8000 during March 31; rotate all credentials from CI/CD environments that installed affected axios versions.
3. Block or alert on all TeamPCP C2 infrastructure: scan.aquasecurtiy[.]org, checkmarx[.]zone (including /raw endpoint), models.litellm[.]cloud, tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0[.]io, and the five Cloudflare tunnel subdomains (championships-peoples-point-cassette, create-sensitivity-grad-sequence, investigation-launches-hearings-copying, plug-tab-protective-relay, souls-entire-defined-routes at .trycloudflare.com); block the UNC1069 C2 at sfrclak[.]com.
4. Upgrade React and react-server-dom packages to patched versions (19.0.1, 19.1.2, or 19.2.1) and apply corresponding Next.js updates to remediate CVE-2025-55182.
5. Harden CI/CD pipeline design by replacing mutable GitHub Actions version tags with immutable full commit SHA pinning, adopting OIDC-based short-lived cloud credentials in place of long-lived PATs and static keys, enforcing npm package lock integrity verification in pipelines, and implementing mandatory hardware token MFA for all npm and PyPI maintainer publishing accounts.
1898 & Co. actively monitors the software supply chain threat landscape and maintains intelligence coverage across developer tooling ecosystems, CI/CD pipeline infrastructure, and cloud-native environments. Our team tracked the TeamPCP campaign from the initial Trivy compromise through its multi-stage propagation and was positioned to identify the concurrent UNC1069 Axios attack as a separate supply chain risk event requiring independent remediation tracks for affected organizations.
1898 & Co. provides supply chain security assessments, CI/CD pipeline hardening engagements, and cloud identity posture reviews designed to eliminate the mutable tag references, long-lived PATs, and overprivileged CI identities that TeamPCP exploited, as well as maintainer account security programs that address the social engineering vectors used by UNC1069. Our incident response practice maintains specific playbooks for multi-actor supply chain compromise scenarios and for the credential rotation and persistence remediation required following both the TeamPCP and Axios attack chains.
1898 & Co. has supported critical infrastructure and enterprise clients through multiple high-impact supply chain incidents and brings forensic expertise in both the cloud credential compromise patterns characteristic of TeamPCP and the RAT-based developer workstation intrusion technique used by UNC1069. We remain available to assist organizations in scoping exposure, executing remediation, and implementing the architectural controls necessary to prevent recurrence of this class of attack.
1. GitHub Security Advisory — GHSA-69fq-xp46-6x23 (Trivy Supply Chain Compromise, CVE-2026-33634)
4. CISA Known Exploited Vulnerabilities Catalog
5. Cyber Security Agency of Singapore Advisory AD-2026-002 — Axios npm Supply Chain Compromise