Cyber Threat Actor: TeamPCP
| Actor Type | Location | Known Incidents |
Criminal
|
—
|
11 incidents |
|---|
Profile
TeamPCP is an alias used to track a threat actor that gained public attention following a breach of Cisco’s development environment in early March 2026. The actor exploited stolen credentials obtained from a compromised Trivy vulnerability scanner to introduce a malicious GitHub Action plugin into Cisco’s continuous integration pipeline. Once the plugin was executed, the attackers exfiltrated source code from both internal and customer projects, cloned more than three hundred repositories, and extracted AWS keys that were later misused. Cisco responded by isolating affected systems, reimaging workstations, and initiating a broad credential rotation while noting that the incident was linked to ongoing supply chain concerns involving LiteLLM and Checkmarx.
The observed activity indicates that TeamPCP’s primary focus in this case was the technology sector, specifically targeting a major networking and software vendor. No geographic region or broader industry pattern is described in the available reporting, and the actor’s strategic objectives are not explicitly stated in public sources. The actions taken—stealing proprietary code, duplicating repositories, and harvesting cloud credentials—suggest an interest in acquiring valuable intellectual property and access resources, but any further characterization of motive would be speculative.
Regarding tactics, techniques, and procedures, the actor relied on credential theft as an initial access vector, leveraged a compromised third‑party scanning tool (Trivy) to gain trust, and used a malicious GitHub Action plugin to achieve code execution within the victim’s build environment. The actor then demonstrated lateral movement by cloning numerous repositories and extracted AWS keys, which were subsequently used for unauthorized access. These steps reflect a supply chain‑oriented approach that seeks to exploit trusted development tools and continuous integration systems to reach sensitive data and cloud assets.
Public attribution of TeamPCP to any state sponsor, criminal consortium, or other affiliations has not been established in the sources consulted. Consequently, no definitive statements can be made about the actor’s national allegiance or organizational ties.
The Cisco breach of March 2026 stands as the sole publicly reported operation attributed to TeamPCP and serves as the representative example of the actor’s known behavior. No additional campaigns or historical incidents are described in the available material, so the profile remains confined to the facts presented in that case.