Analyzing TeamPCP’s Supply Chain Attacks: Checkmarx KICS and elementary-data in CI/CD Credential Theft

    Friday, May 15, 2026 In: Threat Research Print

    Date: 05/15/2026

    Severity: High 

    Summary

    Our research examined the April 22 Checkmarx KICS and April 24 elementary-data incidents as part of a broader TeamPCP supply chain campaign involving at least seven confirmed waves. The KICS attack used multichannel poisoning across Docker Hub, VS Code/OpenVSX, and GitHub Actions, later enabling the hijack of @bitwarden/cli through stolen npm tokens. The elementary-data compromise exploited GitHub Actions script injection, allowing attackers to abuse the project’s own CI pipeline to publish malicious packages to PyPI and GHCR. The campaign is designed for large-scale credential theft, targeting GitHub PATs, npm tokens, cloud and database credentials, SSH keys, Kubernetes secrets, IaC files, developer tooling secrets, and cryptocurrency wallet keystores. The incident also demonstrated that stolen maintainer credentials were unnecessary, as a single unsanitized pull request comment was enough to turn the project’s CI pipeline into the attacker’s release channel.

    Indicators of Compromise (IOC) List

    Domains/URLs :

    audit.checkmarx.cx

    https://audit.checkmarx.cx/v1/telemetry

    https://api.github.com/search/commits?q=LongLiveTheResistanceAgainstMachines

    checkmarx.zone

    igotnofriendsonlineorirl-imgonnakmslmao.skyhanni.cloud

    https://litter.catbox.moe/iqesmbhukgd2c7hq.sh

    http://169.254.169.254/latest/meta-data/iam/security-credentials/

    http://169.254.170.2

    IP Address : 

    94.154.172.43

    83.142.209.203

    91.195.240.123

    188.114.96.3

    Hash : 

    24680027afadea90c7c713821e214b15cb6c922e67ac01109fb1edb3ee4741d9

    2a6a35f06118ff7d61bfd36a5788557b695095e7c9a609b4a01956883f146f50

    18f784b3bc9a0bcdcb1a8d7f51bc5f54323fc40cbd874119354ab609bef6e4cb

    8605e365edf11160aad517c7d79a3b26b62290e5072ef97b102a01ddbb343f14

    167ce57ef59a32a6a0ef4137785828077879092d7f83ddbc1755d6e69116e0ad

    d37874c6c8a2d2a7a252810a1999ece8bb39e9b3ab2b7e8bf40da15bd36a1584

    2588a44890263a8185bd5d9fadb6bc9220b60245dbcbc4da35e1b62a6f8c230d

    222e6bfed0f3bb1937bf5e719a2342871ccd683ff1c0cb967c8e31ea58beaf7b

    a0d9366f6f0166dcbf92fcdc98e1a03d2e6210e8d7e8573f74d50849130651a0

    31ecc5939de6d24cf60c50d4ca26cf7a8c322db82a8ce4bd122ebd89cf634255

    b3bbfafde1a0db3a4d47e70eb0eb2ca19daef4a19410154a71abee567b35d3d9

    b1e4b1f3aad0d489ab0e9208031c67402bbb8480

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "igotnofriendsonlineorirl-imgonnakmslmao.skyhanni.cloud" or url like "igotnofriendsonlineorirl-imgonnakmslmao.skyhanni.cloud" or siteurl like "igotnofriendsonlineorirl-imgonnakmslmao.skyhanni.cloud" or domainname like "https://litter.catbox.moe/iqesmbhukgd2c7hq.sh" or url like "https://litter.catbox.moe/iqesmbhukgd2c7hq.sh" or siteurl like "https://litter.catbox.moe/iqesmbhukgd2c7hq.sh" or domainname like "checkmarx.zone" or url like "checkmarx.zone" or siteurl like "checkmarx.zone" or domainname like "http://169.254.169.254/latest/meta-data/iam/security-credentials/" or url like "http://169.254.169.254/latest/meta-data/iam/security-credentials/" or siteurl like "http://169.254.169.254/latest/meta-data/iam/security-credentials/" or domainname like "http://169.254.170.2" or url like "http://169.254.170.2" or siteurl like "http://169.254.170.2" or domainname like "audit.checkmarx.cx" or url like "audit.checkmarx.cx" or siteurl like "audit.checkmarx.cx" or domainname like "https://audit.checkmarx.cx/v1/telemetry" or url like "https://audit.checkmarx.cx/v1/telemetry" or siteurl like "https://audit.checkmarx.cx/v1/telemetry" or domainname like "https://api.github.com/search/commits?q=LongLiveTheResistanceAgainstMachines" or url like "https://api.github.com/search/commits?q=LongLiveTheResistanceAgainstMachines" or siteurl like "https://api.github.com/search/commits?q=LongLiveTheResistanceAgainstMachines" 

    Detection Query 2 :

    dstipaddress in ("188.114.96.3") or srcipaddress in ("188.114.96.3")

    Detection Query 3 :

    sha256hash IN ("2a6a35f06118ff7d61bfd36a5788557b695095e7c9a609b4a01956883f146f50","d37874c6c8a2d2a7a252810a1999ece8bb39e9b3ab2b7e8bf40da15bd36a1584","18f784b3bc9a0bcdcb1a8d7f51bc5f54323fc40cbd874119354ab609bef6e4cb","24680027afadea90c7c713821e214b15cb6c922e67ac01109fb1edb3ee4741d9","8605e365edf11160aad517c7d79a3b26b62290e5072ef97b102a01ddbb343f14","167ce57ef59a32a6a0ef4137785828077879092d7f83ddbc1755d6e69116e0ad","2588a44890263a8185bd5d9fadb6bc9220b60245dbcbc4da35e1b62a6f8c230d","222e6bfed0f3bb1937bf5e719a2342871ccd683ff1c0cb967c8e31ea58beaf7b","a0d9366f6f0166dcbf92fcdc98e1a03d2e6210e8d7e8573f74d50849130651a0","31ecc5939de6d24cf60c50d4ca26cf7a8c322db82a8ce4bd122ebd89cf634255","b3bbfafde1a0db3a4d47e70eb0eb2ca19daef4a19410154a71abee567b35d3d9")

    Detection Query 4 :

    sha1hash in ("b1e4b1f3aad0d489ab0e9208031c67402bbb8480")

    Reference:    

    https://www.trendmicro.com/en_us/research/26/e/analyzing-teampcp-supply-chain-attacks.html


    Tags

    Threat ActorSupply chain attackCredentialTheftNode Package Manager (NPM)ExploitGitHubcryptocurrency

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.