The FBI issued a FLASH alert on 2 July 2026 warning that a threat group called TeamPCP had compromised widely used developer and security tools to steal cloud credentials, spread malware and extort victims. The group manipulated trusted software packages and poisoned update channels to get malware into CI/CD pipelines without triggering standard security controls. Once inside a victim environment, TeamPCP extracted cloud access tokens, SSH keys and Kubernetes secrets.
The affected products named in the alert include Checkmarx KICS, the open-source infrastructure-as-code vulnerability scanner, packages distributed via the elementary-data library and content hosted on Docker Hub. Trend Micro, which published a technical breakdown of the campaign, identified the attack vector as supply chain compromise through manipulated trusted packages inserted into CI/CD toolchains.
How TeamPCP Got Into the Pipeline
The technique is not new but the targeting is precise. By compromising a vulnerability scanner that sits inside the development workflow rather than at the network perimeter, TeamPCP gained access to credentials at the moment developers use them. Checkmarx KICS is a tool that scans infrastructure code for misconfigurations. It runs with elevated permissions, often has access to environment variables, and is trusted implicitly because its job is to find problems. A poisoned version of that tool is a near-perfect credential harvester.
According to the FBI FLASH alert, TeamPCP harvested cloud access tokens, SSH keys and Kubernetes secrets from victim environments. Trend Micro’s analysis of the campaign confirms the group used manipulated packages in the elementary-data library as a secondary distribution vector, reaching development teams that had no direct connection to the Checkmarx tooling.
The FBI cited 10,000 development teams as users of the compromised vulnerability scanner. That figure comes from the FBI alert and should be read as the agency’s estimate of potential exposure, not confirmed victims. Trend Micro’s research has not independently corroborated the exact count.
Supply Chain Attacks Against Security Tooling Are a Different Category of Problem
Most supply chain attacks target application dependencies. TeamPCP went one step further and targeted the tools organizations use to check that their dependencies are safe. That is worth pausing on. If your security scanner is the threat, then running it confirms the compromise rather than detecting it.
The FBI alert notes that the group followed credential theft with extortion which distinguishes this from purely state-directed espionage. The credential extraction phase creates durable access. The extortion phase converts that access into revenue. SANS Institute described the pattern in a webcast published this week as an escalation of CI/CD pipeline targeting that the security industry has been warning about since at least 2021.
One figure in the source material deserves scrutiny. Security Affairs cites 1 million compromised GitHub developer credentials harvested by infostealers. That figure is not attributed to the FBI FLASH alert or to Trend Micro’s technical report. Until it appears in a named Tier 1 or Tier 2 source tied to this specific campaign, treat it as unverified.
Check Your CI/CD Toolchain Before You Check Anything Else
Any team running Checkmarx KICS, elementary-data packages or Docker Hub images pulled in the months before the FLASH alert should audit those environments now. The specific priority is credential rotation, cloud access tokens, SSH keys and Kubernetes secrets that were present in any environment where the compromised tooling ran should be treated as potentially stolen.
Trend Micro’s technical report includes indicators of compromise for the campaign. Cross-reference those against your pipeline logs before rotating credentials, so you can determine the scope of what was exposed rather than rotating blindly.
Pin your tool versions explicitly in CI/CD configuration and verify checksums against known-good releases. Poisoned update channels work because teams accept the latest version automatically. That default is worth changing today. Docker Hub images should be pulled from verified publishers only with digest pinning rather than tag references.
If your organization uses a managed secrets service such as HashiCorp Vault or AWS Secrets Manager, verify that the access policies on those systems restrict which CI/CD jobs can retrieve credentials and under what conditions. TeamPCP’s harvesting relied on credentials being accessible to the tooling at runtime. Least-privilege access to secrets is the architectural control that limits that exposure.
References
- TeamPCP Compromised Dev Tools to Steal Cloud Credentials
- Analyzing TeamPCP’s Supply Chain Attacks
- When the Security Scanner Became the Weapon
- Your Supply Chain Breach Is Someone Else’s Payday
This post is also available in: