← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC - Analyzing TeamPCP’s Supply Chain Attacks: Checkmarx KICS and elementary-data in CI/CD Credential Theft
WHITE celestre 2026-05-15 Modified: 2026-05-15
21
IOCs
MEDIUM VOLUME
TeamPCP has been identified as running a coordinated campaign from March 19 through April 24, with at least seven distinct waves identified. It finds trusted artifacts in developer tool chains, poisons the distribution channel using that project’s own infrastructure, and harvests credentials before the project’s maintainers or security monitoring catches the substitution. The targets span five programming ecosystems and three registry types.
checkmarx kicsbitwardenbitwarden clikicsc2 domain10 mbkics elfdockercli loadercli payloadpythonexfiltrationpriorshell
Indicators of Compromise (4 / 21 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 IPv4 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA1 250f3633529457477a9f8fd3db3472e94383606a SHA1 of 2a6a35f06118ff7d61bfd36a5788557b695095e7c9a609b4a01956883f146f50 2026-05-15
FileHash-SHA1 2b12cc5cc91ec483048abcbd6d523cdc9ebae3f3 SHA1 of 24680027afadea90c7c713821e214b15cb6c922e67ac01109fb1edb3ee4741d9 2026-05-15
FileHash-SHA1 5b5d76ae552dc13010b15f41955b6534b16bba12 SHA1 of 18f784b3bc9a0bcdcb1a8d7f51bc5f54323fc40cbd874119354ab609bef6e4cb 2026-05-15
FileHash-SHA1 b1e4b1f3aad0d489ab0e9208031c67402bbb8480 2026-05-15
References (1)
↗ https://www.trendmicro.com/en_us/research/26/e/analyzing-teampcp-supply-chain-attacks.html