TeamPCP Supply Chain Attack: Audit Your GitHub and npm Projects
An active, multi-stage supply chain campaign is compromising GitHub Actions, npm packages, and Python tooling. Here is what happened, what to check, and how to check it.
What Happened
Trivy GitHub Actions compromised via pull_request_target exploit. CI/CD secrets exfiltrated from pipelines using Trivy for security scanning.
Compromised Trivy releases published. npm tokens harvested from every pipeline running latest Trivy.
CanisterWorm deployed across 140+ npm packages using stolen tokens. Self-propagating worm that steals npm credentials and republishes itself through victim packages. Uses decentralized ICP blockchain as C2, making takedown nearly impossible.
Checkmarx KICS GitHub Actions compromised. Same playbook: tag hijacking, credential theft, lateral movement.
LiteLLM Python package compromised on PyPI (versions 1.82.7, 1.82.8). Three-stage payload: credential harvester, Kubernetes lateral movement toolkit, persistent backdoor. The .pth variant executes on every Python interpreter startup.
Each stage of this campaign feeds the next. Credentials stolen from Trivy pipelines were used to publish CanisterWorm. Tokens harvested by CanisterWorm enabled the LiteLLM compromise. TeamPCP has stated publicly that they are partnering with other groups and that more targets are coming. This is not over.
Who Is Affected
Anyone maintaining GitHub repositories with CI/CD pipelines. Anyone using npm, pnpm, or yarn with dependencies that were updated in the March 19-26 window. Anyone using Python packages in AI/LLM tooling, particularly LiteLLM. Anyone running Trivy or Checkmarx KICS in their build pipelines.
Five Checks You Can Run Right Now
1. LiteLLM Backdoor
Versions 1.82.7 and 1.82.8 are compromised.
pip list 2>/dev/null | grep -i litellmBad result: litellm 1.82.7 or 1.82.8 listed
2. Malicious .pth Persistence
If this file exists, malware executes on every Python startup.
find $(python3 -c "import site; print('\n'.join(site.getsitepackages()))" 2>/dev/null) -name "litellm_init.pth" 2>/dev/nullBad result: Any file path returned
3. CanisterWorm systemd Service
Presence confirms active infection.
systemctl --user status pgmon.service 2>/dev/null && ls ~/.config/systemd/user/pgmon.service 2>/dev/nullBad result: Service exists or file found
4. Unpinned GitHub Actions
Any third-party action using a tag instead of a commit SHA is vulnerable to the same tag hijacking used against Trivy.
grep -rn "uses:" .github/workflows/ | grep -v "@[a-f0-9]\{40\}"Bad result: Any line showing uses: action@v1 or similar tag-based reference
5. Compromised npm Packages
Known CanisterWorm scopes.
grep -iE "@emilgroup|@opengov|@teale.io|@airtm|@pypestream" pnpm-lock.yaml package-lock.json 2>/dev/nullBad result: Any matches in lockfiles
If You Find Something
Stop using the compromised machine for credential rotation.
Rotate all secrets from a clean device: GitHub tokens, npm tokens, PyPI tokens, SSH keys, cloud credentials, CI/CD secrets, API keys.
Delete node_modules, clear caches, reinstall from lockfile only.
Pin all GitHub Actions to full commit SHA.
Remove or replace Trivy and Checkmarx actions.
Full Audit Prompt
We built a comprehensive 6-phase audit prompt that covers GitHub Actions workflow security, npm dependency scanning, Python environment auditing, host-level infection indicators, and remediation. It is designed to be run through Claude Code or any AI coding assistant with shell access. It runs from your home directory and audits every repository on your machine.
These files are plain Markdown. No login required. No tracking. Share them.
References
Arctyra's Security by Design practice helps organizations audit supply chain exposure, harden CI/CD pipelines, and build security architecture that accounts for this class of threat.
Talk to us