← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC - Analyzing TeamPCP’s Supply Chain Attacks: Checkmarx KICS and elementary-data in CI/CD Credential Theft
WHITE celestre 2026-05-15 Modified: 2026-05-15
21
IOCs
MEDIUM VOLUME
TeamPCP has been identified as running a coordinated campaign from March 19 through April 24, with at least seven distinct waves identified. It finds trusted artifacts in developer tool chains, poisons the distribution channel using that project’s own infrastructure, and harvests credentials before the project’s maintainers or security monitoring catches the substitution. The targets span five programming ecosystems and three registry types.
checkmarx kicsbitwardenbitwarden clikicsc2 domain10 mbkics elfdockercli loadercli payloadpythonexfiltrationpriorshell
Indicators of Compromise (6 / 21 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 IPv4 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 167ce57ef59a32a6a0ef4137785828077879092d7f83ddbc1755d6e69116e0ad 2026-05-15
FileHash-SHA256 18f784b3bc9a0bcdcb1a8d7f51bc5f54323fc40cbd874119354ab609bef6e4cb 2026-05-15
FileHash-SHA256 24680027afadea90c7c713821e214b15cb6c922e67ac01109fb1edb3ee4741d9 2026-05-15
FileHash-SHA256 2a6a35f06118ff7d61bfd36a5788557b695095e7c9a609b4a01956883f146f50 2026-05-15
FileHash-SHA256 8605e365edf11160aad517c7d79a3b26b62290e5072ef97b102a01ddbb343f14 2026-05-15
FileHash-SHA256 d37874c6c8a2d2a7a252810a1999ece8bb39e9b3ab2b7e8bf40da15bd36a1584 2026-05-15
References (1)
↗ https://www.trendmicro.com/en_us/research/26/e/analyzing-teampcp-supply-chain-attacks.html