← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC - Analyzing TeamPCP’s Supply Chain Attacks: Checkmarx KICS and elementary-data in CI/CD Credential Theft
WHITE celestre 2026-05-15 Modified: 2026-05-15
21
IOCs
MEDIUM VOLUME
TeamPCP has been identified as running a coordinated campaign from March 19 through April 24, with at least seven distinct waves identified. It finds trusted artifacts in developer tool chains, poisons the distribution channel using that project’s own infrastructure, and harvests credentials before the project’s maintainers or security monitoring catches the substitution. The targets span five programming ecosystems and three registry types.
checkmarx kicsbitwardenbitwarden clikicsc2 domain10 mbkics elfdockercli loadercli payloadpythonexfiltrationpriorshell
Indicators of Compromise (3 / 21 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 IPv4 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 d47de3772f2d61a043e7047431ef4cf4 MD5 of 24680027afadea90c7c713821e214b15cb6c922e67ac01109fb1edb3ee4741d9 2026-05-15
FileHash-MD5 e1023db24a29ab0229d99764e2c8deba MD5 of 2a6a35f06118ff7d61bfd36a5788557b695095e7c9a609b4a01956883f146f50 2026-05-15
FileHash-MD5 fb6b61447ee9f1b86067bd64b1e002b4 MD5 of 18f784b3bc9a0bcdcb1a8d7f51bc5f54323fc40cbd874119354ab609bef6e4cb 2026-05-15
References (1)
↗ https://www.trendmicro.com/en_us/research/26/e/analyzing-teampcp-supply-chain-attacks.html