A financially motivated threat actor known as TeamPCP — also tracked internally by Trend Micro as SHADOW WATER — has been systematically poisoning trusted software development infrastructure to steal developer credentials and cloud secrets at industrial scale. The campaign, active since at least March 2026, has executed at least seven distinct attack waves, turning build pipelines, code extensions, and official package releases into credential exfiltration channels.
The Core Strategy: Weaponizing Trusted Infrastructure
What sets TeamPCP apart from conventional malware campaigns is its methodical abuse of legitimate, trusted software components. Rather than deploying traditional malware through phishing or drive-by compromises, the group identifies high-value chokepoints in the software development lifecycle — Docker images, VS Code extensions, GitHub Actions workflows, and PyPI packages — and quietly injects credential-stealing payloads into them. The result is attacks that ride inside the normal flow of build and release activity, making detection extremely difficult.
According to a Trend Micro report shared exclusively with Cyber Security News, two of the most recent and impactful cases involved Checkmarx KICS (Keep Infrastructure as Code Secure) and the Python data analytics package elementary-data. Both incidents followed distinct technical paths but converged on the same outcome: the mass theft of developer and cloud credentials.
The Checkmarx KICS Multichannel Infection
In the KICS campaign, TeamPCP achieved multichannel poisoning with remarkable precision. The attackers compromised official Checkmarx KICS Docker Hub repositories while simultaneously backdooring related VS Code and OpenVSX extensions and modifying the project’s GitHub Actions workflow files. This breadth of compromise ensured that any developer or CI runner engaging with KICS tooling through any of these channels would receive the malicious payload.
The poisoned artifacts downloaded a JavaScript stealer module that ran on top of the Bun runtime during what appeared to be a normal KICS infrastructure scan. That payload harvested GitHub personal access tokens, cloud provider credentials, SSH keys, configuration files, and shell history, then exfiltrated them over HTTPS to attacker-controlled command-and-control infrastructure.
Within roughly 48 hours of the initial KICS exposure window, the same stolen tokens allowed TeamPCP to publish a malicious Bitwarden CLI release. This secondary attack extended the group’s reach to any developer or CI environment that subsequently installed the trojanized password manager. The Bitwarden variant reused the same command-and-control domain, encryption approach, and fallback recovery mechanism — using GitHub commit search as a backup channel for resolving infrastructure details.
The elementary-data PyPI Injection
The elementary-data incident demonstrated an even simpler but arguably more dangerous attack path. An attacker-controlled account posted a crafted comment to a public pull request in the project’s GitHub repository. Critically, the project’s GitHub Actions workflow interpolated pull request event data — including comments — directly into shell commands without sanitization.
This single unsanitized comment injected a script that abused the runner’s GitHub token to forge a tagged release commit, triggering the project’s own signing pipeline. The result was a malicious Python wheel that the maintainers’ own CI signed and uploaded to PyPI and GitHub Container Registry as a legitimate release. Any organization that installed the package during this window unknowingly deployed the TeamPCP credential stealer.
The inner stealer was written in pure Python, avoiding obvious malware patterns and leaving few disk artifacts. It focused heavily on cloud and Kubernetes secrets in addition to local developer keys. In AWS environments, the stealer went beyond files on disk, making live API calls to Secrets Manager and SSM Parameter Store to dump managed secrets that never existed in local files.
What TeamPCP Steals
Across all seven observed attack waves, TeamPCP’s payloads pursued a consistent and comprehensive credential collection strategy:
- GitHub personal access tokens and repository tokens
- AWS, Azure, and GCP IAM credentials and access keys
- SSH private keys and Kubernetes service account tokens
- Database passwords and application API keys
- NPM and PyPI publishing credentials
- Cryptocurrency wallet files and seed phrases
- Cloud-managed secrets via live AWS Secrets Manager API calls
Stolen credentials have subsequently appeared in extortion activity, with a ransomware group publishing victims and data attributed to TeamPCP within weeks of collection — demonstrating that initial access brokers are either within the group or closely affiliated with it.
Indicators and Detection
Trend Micro associates multiple incidents with a single threat cluster based on shared infrastructure, a Dune-themed staging repository naming convention, and a recurring commit message marker — “Long Live The Resistance Against Machines” — appearing consistently across attack waves. The group’s administrator has posted under a TeamPCP-branded persona on underground forums, tying earlier compromises together.
Organizations that may have pulled affected Checkmarx KICS Docker tags, installed the specific VS Code or OpenVSX extensions, or installed elementary-data during its malicious window should treat those environments as fully compromised. Priority remediation steps include rotating all GitHub PATs, cloud IAM keys, SSH keys, Kubernetes tokens, and any secrets stored in environment variables or standard credential files like ~/.aws/credentials.
Hardening CI/CD Pipelines Against Trusted Abuse
Trend Micro’s analysis emphasizes that every TeamPCP entry point exploited implicit trust in CI/CD infrastructure. To reduce exposure to this class of attack, organizations should enforce the principle of least privilege so that a single compromised workflow cannot access more secrets than its role requires. Network egress controls on CI runners would have blocked exfiltration even if poisoning succeeded. Pinning all Docker image pulls to verified cryptographic digests instead of mutable tags, and auditing GitHub Actions workflows for user-controlled expressions interpolated into shell commands, are additional high-priority steps.