
CVE-2026-33634 et al.: TeamPCP Supply Chain Attack — Cloud Credential Theft at Scale (July 2026)
CVE-2026-33634 et al. — TeamPCP Supply Chain Attack
CVE-2026-33634, CVE-2026-48027, CVE-2026-45321, and CVE-2025-55182 are critical vulnerabilities exploited in active supply chain attacks by the TeamPCP group. These CVEs enable attackers to inject malicious payloads into widely used developer and security tools, resulting in mass theft of cloud credentials (AWS, GCP, Azure), SSH keys, and Kubernetes secrets. The vulnerabilities are being actively exploited in the wild as of July 2026, with no official patch timeline announced.
Attack Vector
TeamPCP compromised legitimate software packages integral to CI/CD pipelines and security workflows by injecting malicious code and distributing trojanized versions. Organizations that installed or updated affected tools unknowingly executed malware, which exfiltrated sensitive credentials to attacker-controlled infrastructure. Key indicators of compromise include outbound connections to IPs such as 83.142.209.11, 45.148.10.212, and domains like checkmarx.zone, models.litellm.cloud, git-tanstack.com, and recv.hackmoltrepeat.com. Malicious GitHub repositories (tpcp-docs, docs-tpcp) were used to propagate the attack. Four distinct malware families were deployed, enabling credential theft and subsequent extortion via public data leaks.
Who Is at Risk
Any organization using compromised developer tools—particularly those integrated into CI/CD pipelines or security automation workflows—is at risk. The full list of affected tools is not public, but evidence points to widespread impact across multiple organizations relying on popular open-source and commercial development utilities. No specific vendors or products have been officially named; all users of recently updated developer/security tools should assume exposure until proven otherwise.
Patch & Mitigate
- Patch: No official patches or hotfixes are available as of July 2, 2026. Monitor vendor advisories and apply updates immediately upon release.
- Workaround: Audit all developer and security tool installations for unauthorized changes. Revert to known-good versions where possible. Rotate all cloud provider credentials, SSH keys, and Kubernetes secrets immediately.
- Detect: Review logs for anomalous outbound traffic to listed IOCs (IPs and domains). Investigate any connections to suspicious GitHub repositories or unexpected file hashes. Monitor for unauthorized access or privilege escalation in cloud environments.
MITRE ATT&CK
- TA0009 — Collection: Attackers harvested cloud credentials, SSH keys, and Kubernetes secrets from compromised environments.
- TA0006 — Credential Access: Malicious code extracted authentication material directly from developer tools and CI/CD systems.
- TA0008 — Lateral Movement: Stolen credentials enabled attackers to pivot within cloud and hybrid environments.
Start Your 14-Day Free Trial
Get curated cyber intelligence delivered to your inbox every morning at 6 AM. No credit card required.
Get Started Free

