One Actor, Three Supply Chains: How TeamPCP Chained Trivy, LiteLLM, and Telnyx Into a Single Kill Chain

On March 19, someone poisoned 76 of 77 release tags in Aqua Security's Trivy-Action GitHub repository. The credential stealer ran silently inside CI/CD pipelines — the security scanner stealing secrets from the infrastructure it was trusted to protect.

Five days later, malicious versions of LiteLLM appeared on PyPI. Same actor. Different package. Same technique: harvest environment variables, .env files, and shell histories from every machine that imported the package.

Three days after that, two unauthorized versions of the Telnyx Python SDK landed on PyPI — v4.87.1 and v4.87.2. The malicious code was hidden inside a .WAV file. Steganography. The creds used to publish the Telnyx packages? Stolen from the LiteLLM compromise.

Three supply chain attacks. One actor. One continuous kill chain. Meet TeamPCP.

The Chain

Most supply chain attacks are isolated. Someone compromises a package, steals what they can, moves on. TeamPCP doesn't work that way. They chain.

Link 1 — Trivy-Action (March 19). 76 of 77 release tags re-pointed to malicious commits. Anyone running aquasecurity/[email protected] in their CI/CD pulled a credential stealer instead of a vulnerability scanner. Exposure window: 3-12 hours. The stealer harvested CI/CD secrets, environment variables, and deployment tokens from thousands of pipelines. Microsoft published detection guidance. CrowdStrike wrote it up. CISA added CVE-2026-33634 to the KEV catalog.

But nobody asked the next question: what did TeamPCP do with those stolen credentials?

Link 2 — LiteLLM (March 24). LiteLLM is an open-source LLM proxy — a single interface to GPT-4, Claude, Gemini, Mistral, and dozens of other models. It runs in production AI pipelines everywhere. TeamPCP compromised the maintainer's PyPI account and published backdoored versions. The harvester swept environment variables, .env files, and shell histories from every system that imported the package.

Datadog Security Labs connected Trivy and LiteLLM to the same actor. But again — nobody asked what TeamPCP harvested from LiteLLM users specifically.

Link 3 — Telnyx (March 27). Telnyx is a cloud communications API — voice, SMS, fax, SIP. 700,000 downloads per month on PyPI. TeamPCP published two malicious versions that concealed credential harvesting inside a .WAV audio file. Steganography — the payload looked like audio data.

Here's the kill shot: Akamai, OX Security, and Aikido all independently confirmed that the PyPI token used to publish the malicious Telnyx packages was stolen from the LiteLLM compromise. A developer or CI pipeline had both LiteLLM and access to the Telnyx PyPI token. When LiteLLM harvested their environment, TeamPCP got the keys to Telnyx.

Trivy credentials → LiteLLM maintainer access
    → LiteLLM credentials → Telnyx PyPI token
        → Telnyx credentials → [???]

The chain doesn't stop at three. It stops when the stolen credentials run out of high-value targets. We don't know what they harvested from Telnyx users yet.

The Campaign, Not the Incident

Every vendor covered their piece. CrowdStrike wrote about Trivy. Datadog wrote about LiteLLM. Akamai wrote about Telnyx. Each article treats the attack as a discrete incident. But discrete incidents don't steal credentials from package A and use them to compromise package B three days later.

This is a campaign. TeamPCP's playbook:

1. Compromise a widely-used package via stolen maintainer credentials or tag manipulation

2. Harvest everything — env vars, .env files, shell history, PyPI/npm tokens, cloud credentials

3. Search the harvest for tokens that grant publish access to other packages (they literally used trufflehog — a security tool — to search stolen data for more credentials)

4. Use those tokens to compromise the next package

5. Repeat

The operational tempo is 3-5 days between links. The target selection is strategic: Trivy (security teams), LiteLLM (AI teams), Telnyx (communications infrastructure). Each link expands the credential pool. Each expansion enables the next link.

The .WAV File

The Telnyx payload deserves its own paragraph because it's genuinely clever. The malicious code in telnyx/_client.py downloads what appears to be a .WAV audio file. Inside that file, encoded as audio samples, is the actual credential harvester. The harvester targets Windows, Linux, and macOS.

Steganography in supply chain attacks is rare. Most malware authors don't bother hiding the payload — they rely on the trust relationship with the package registry to avoid scrutiny. TeamPCP hid theirs inside audio data. That's paranoia-grade tradecraft from a group that expects security researchers to be looking.

The GitHub Problem

While TeamPCP's malicious packages were removed from PyPI within hours, the payloads live on — hosted openly on GitHub.

We found two repositories created in the last 48 hours hosting the actual Axios supply chain RAT components:

pakaremon/plain-crypto-js — Created April 1, 2026. Contains the complete plain-crypto-js-4.2.1.tgz malicious package (87KB) that was the RAT dropper in the Axios attack. No description. Zero stars. Hosted alongside a legitimate crypto-js fork as cover. The .tgz file is the exact artifact that was distributed to millions of npm installations.

Draco1js/plain-crypto-js-RATs — "The original client side files for the Axios RAT." Contains password-protected ZIP archives of all three platform-specific payloads:

Password-protecting malware samples and labeling them "for research" is the fig leaf. These are functional RAT payloads on a public hosting platform with no access control beyond a password that's probably in the README or a neighboring file.

This is Pattern 38.5 — the malware rehosting problem. The original attack vector gets pulled from the package registry, but the payloads redistribute through GitHub under the cover of security research. A developer searching for "plain-crypto-js" to understand if they're affected could end up downloading the actual malware from a research repo.

What's Next in the Chain

TeamPCP's credential pool is still growing. Every LiteLLM installation that ran the malicious version between March 24-27 potentially leaked:

• PyPI tokens (used to compromise Telnyx)

• npm tokens (used to... what?)

• AWS/Azure/GCP credentials

• OpenAI/Anthropic/Google AI API keys

• Stripe, Twilio, SendGrid, and other service tokens

LiteLLM runs in AI production pipelines. These pipelines have access to everything. The question isn't whether TeamPCP has more tokens — it's which package registry they'll hit next.

We're tracking this as Pattern 38, instance 16. The Axios attack (instance 14) and the Trivy attack (instance 15) are related but separate campaigns. TeamPCP is the first actor we've documented running a multi-link supply chain campaign where each compromise funds the next.

IOCs

All TeamPCP and Axios supply chain IOCs are indexed in our STIX feed. If you're a consumer, they're already in your next pull.

• Malicious packages: telnyx==4.87.1, telnyx==4.87.2, litellm (compromised versions)

• Trivy-Action: 76/77 release tags poisoned (CVE-2026-33634)

• TTP: Credential harvesting → package registry pivot → steganographic payloads

• C2: sfrclak[.]com / 142.11.206.73

• Malicious packages: [email protected], [email protected], [email protected]

• RAT persistence: macOS /Library/Caches/com.apple.act.mond, Windows %PROGRAMDATA%\wt.exe, Linux /tmp/ld.py

• Beacon: POST to sfrclak[.]com:8000/6202033 every 60 seconds

• pakaremon/plain-crypto-js — malicious .tgz package

• Draco1js/plain-crypto-js-RATs — platform RAT payloads

What To Do

1. Check installed versions immediately

2. Rotate every secret, token, and API key accessible from those environments

3. Audit PyPI/npm publish tokens — revoke any that were accessible during the compromise window

4. Search your credential vault for evidence of exfiltration (outbound connections to unknown hosts)

1. Enable 2FA on your registry account today

2. Revoke all long-lived access tokens

3. Use OIDC Trusted Publishers for CI/CD publishing (prevents token-based attacks)

4. Monitor your package's publish history for unauthorized versions

1. Point your SIEM at our STIX feed: analytics.dugganusa.com/api/v1/stix-feed

2. Search your network logs for the IOCs above

3. Assume your credential rotation is behind — the harvest happened days before disclosure

DugganUSA tracks supply chain attacks as Pattern 38. TeamPCP's Trivy → LiteLLM → Telnyx chain is instance 16 — the first documented multi-link campaign where each compromise funds the next. Our STIX feed carries IOCs for all 16 instances.

We found the Axios RAT payloads hosted on GitHub within 48 hours of the attack. We indexed the TeamPCP IOCs before the individual vendor reports were published. This is what a threat intelligence operation looks like at machine speed.

The chain doesn't stop when the vendor publishes a blog post. It stops when the credentials expire.

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →