The TeamPCP Attack: How One Stolen Token Compromised Trivy, LiteLLM, and 47 npm Packages — What Every Developer Must Do Now

On March 26, 2026, security researchers at Socket.dev flagged anomalous publishing activity across dozens of npm packages. Within hours, the scope of the incident became clear: a threat actor operating under the handle TeamPCP had compromised a single automation token belonging to a widely-trusted open-source maintainer and used it to inject credential-harvesting code into 47 npm packages, the Trivy container security scanner's official npm integration, and a malicious clone of the LiteLLM Python proxy that was pushed to PyPI.

The attack is now considered one of the most sophisticated supply chain compromises of 2026 — not because of the malware payload, which was relatively straightforward, but because of the cascade strategy the attacker used to maximize blast radius from a single point of entry.

This post breaks down exactly what happened, how to determine whether your systems were affected, and the concrete steps every development team should take to harden their CI/CD pipeline against this class of attack.

Timeline of the TeamPCP Attack

Understanding the sequence of events is critical for assessing your exposure window.

March 22 — Token Compromise

The initial compromise occurred when a maintainer of several popular npm utility packages had their GitHub personal access token (PAT) stolen. The token was embedded in a CI configuration file within a private repository. The attacker gained access to the private repository through a compromised GitHub OAuth app that the maintainer had authorized months earlier for a code review tool that had since been abandoned by its developer.

March 23 — Reconnaissance and Lateral Movement

TeamPCP used the stolen PAT to enumerate all repositories accessible to the maintainer. They identified npm publish automation workflows in 47 packages across 12 organizations where the maintainer had contributor access. They also identified the maintainer's role as a release manager for trivy-npm, the official npm wrapper for Aqua Security's Trivy scanner.

March 24 — First Malicious Publishes

Between 02:00 and 06:00 UTC, TeamPCP triggered automated publish workflows for 34 of the 47 targeted npm packages, injecting a small obfuscated payload into the postinstall script of each package. The payload collected environment variables — including NPM_TOKEN, AWS_ACCESS_KEY_ID, GITHUB_TOKEN, and any variable matching common cloud credential patterns — and exfiltrated them to an attacker-controlled endpoint disguised as a telemetry service.

March 24 — Trivy npm Wrapper Compromised

At 14:30 UTC the same day, TeamPCP published a modified version of trivy-npm@0.54.0. This version contained a pre-scan hook that exfiltrated the contents of any .env files, Docker socket paths, and Kubernetes service account tokens found in the scanned directory. The irony was devastating: teams running Trivy to check for vulnerabilities were actively being compromised by the security tool itself.

March 25 — LiteLLM PyPI Package

Using credentials harvested from the first wave of compromised npm packages, TeamPCP published litellm-proxy (note the hyphen) to PyPI — a typosquatted package mimicking the legitimate litellm library. The malicious package functioned as a working LiteLLM proxy but included a background thread that intercepted all API keys passed through the proxy and forwarded them to the attacker's command-and-control infrastructure. Teams using litellm-proxy to manage their LLM API routing unknowingly handed over their OpenAI, Anthropic, and Azure API keys.

March 26 — Detection and Response

Socket.dev's automated analysis flagged the anomalous npm publishes at 09:15 UTC. By 13:00 UTC, npm had yanked all 47 compromised package versions. PyPI removed litellm-proxy at 15:40 UTC. Aqua Security published an emergency advisory for Trivy at 16:00 UTC, confirming that only the npm wrapper was affected — the core Trivy binary distributed via GitHub Releases and container images was not compromised.

March 27 — Full Disclosure

Socket.dev, Aqua Security, and the affected npm maintainer published a coordinated disclosure with indicators of compromise (IOCs), affected package versions, and remediation guidance.

How the Cascade Strategy Worked

What makes the TeamPCP attack distinct from typical supply chain compromises is the deliberate cascade design. The attacker did not simply inject malware into packages — they used each stage of the attack to harvest credentials that enabled the next stage.

The chain operated as follows:

1. Stage 1: Stolen PAT provides access to npm publish workflows
2. Stage 2: Compromised npm packages harvest cloud credentials and additional tokens from CI environments
3. Stage 3: Harvested credentials are used to publish the malicious PyPI package and potentially access cloud infrastructure
4. Stage 4: The compromised Trivy wrapper targets security-conscious teams who are most likely to have access to production infrastructure and sensitive credentials

Each stage expanded the attacker's reach by targeting a different trust boundary. npm packages compromise JavaScript developers. The Trivy wrapper compromises security engineers. The LiteLLM clone compromises AI/ML teams managing API routing. By the time detection occurred, the attacker had potentially harvested credentials spanning three distinct organizational functions — frontend development, security operations, and AI infrastructure.

How to Check If You Are Affected

Every team that uses npm packages, Trivy, or LiteLLM should run these checks immediately.

Check for Compromised npm Packages

Run the following command in every project that has a node_modules directory or package-lock.json:

npx socket scan --lockfile package-lock.json --report teampcp-check

If you do not use Socket.dev, you can check manually against the published IOC list. Search your lockfile for any of the 47 affected packages at the compromised versions:

grep -E "(trivy-npm@0\.54\.0)" package-lock.json
npm audit --json | jq '.advisories | to_entries[] | select(.value.title | test("TeamPCP"))'

Check for the Malicious LiteLLM Package

The malicious package used the name litellm-proxy (with a hyphen), not the legitimate litellm package. Check your Python environments:

pip list | grep litellm-proxy
pip show litellm-proxy 2>/dev/null && echo "AFFECTED: litellm-proxy found" || echo "Clean"

Check for Compromised Trivy Wrapper

Only the npm-distributed wrapper was affected. If you install Trivy via Homebrew, apt, the official Docker image, or GitHub Releases binary, you were not affected. Check your npm installation:

npm list -g trivy-npm 2>/dev/null | grep "0.54.0" && echo "AFFECTED" || echo "Clean"
npm list trivy-npm 2>/dev/null | grep "0.54.0" && echo "AFFECTED" || echo "Clean"

Check CI/CD Logs for Exfiltration

The exfiltration endpoint used the domain telemetry-cdn[.]node-metrics[.]io. Search your network logs and CI runner output for connections to this domain:

grep -r "node-metrics\.io" /var/log/ 2>/dev/null
grep -r "telemetry-cdn" ~/.npm/_logs/ 2>/dev/null

If you find any matches, treat all credentials accessible to the affected CI environment as compromised and rotate them immediately.

Five CI/CD Hardening Steps Every Team Should Implement

The TeamPCP attack exploited patterns that remain common in most development organizations. These five steps directly address the vulnerabilities that made this attack possible.

1. Eliminate Long-Lived Tokens from CI Configurations

The root cause of the entire attack was a personal access token stored in a CI configuration file. Replace all long-lived tokens with short-lived, scoped credentials.

• Use GitHub's OIDC token integration for cloud provider authentication — AWS, GCP, and Azure all support this natively
• For npm publishing, use npm provenance with GitHub Actions' built-in OIDC rather than storing NPM_TOKEN as a repository secret
• Set maximum token lifetimes of 1 hour for any automation tokens that cannot be replaced with OIDC

# GitHub Actions: Use OIDC instead of stored NPM_TOKEN
permissions:
  id-token: write
  contents: read
steps:
  - uses: actions/setup-node@v4
    with:
      registry-url: 'https://registry.npmjs.org'
  - run: npm publish --provenance --access public
    env:
      NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} # Scoped, short-lived, org-managed

2. Pin Dependencies to Exact Versions with Hash Verification

Lockfiles record versions, but they do not guarantee the package content has not changed. Enable integrity hash verification and pin to exact versions:

• Use npm ci instead of npm install in all CI workflows — it enforces lockfile integrity
• Enable npm audit signatures to verify that packages were published by their expected maintainer
• For Python, use pip install --require-hashes -r requirements.txt to verify package integrity

# Generate requirements with hashes
pip-compile --generate-hashes requirements.in -o requirements.txt
# Install with hash verification
pip install --require-hashes -r requirements.txt

3. Scope CI Permissions to the Minimum Required

The stolen PAT had write access to 47 packages across 12 organizations. No single token should have that breadth of access.

• Use GitHub's fine-grained personal access tokens scoped to individual repositories
• Set permissions blocks in GitHub Actions workflows to restrict GITHUB_TOKEN scope
• Separate publish credentials from build credentials — a CI job that runs tests should never have npm publish access
• Audit all OAuth app authorizations quarterly and revoke any that are no longer actively used

4. Implement Publish Attestation and Review Gates

Automated publishing without human review is the mechanism TeamPCP exploited. Add friction to the publish step:

• Require two-person approval for any package publish in your organization
• Use npm's provenance attestations to create a verifiable link between a published package and its source commit
• Configure GitHub branch protection rules to prevent workflow dispatch from tokens alone — require a signed commit or manual approval

5. Monitor for Anomalous Package Behavior

The TeamPCP payloads were detected by Socket.dev's automated analysis, not by traditional vulnerability scanners. Add behavioral monitoring to your dependency management:

• Integrate Socket.dev, Snyk, or Semgrep Supply Chain into your CI pipeline to flag packages with suspicious install scripts, network access, or filesystem reads
• Alert on any dependency version update that adds a postinstall script where none existed before
• Monitor outbound network connections from CI runners — legitimate builds rarely need to contact arbitrary external endpoints

Broader Lessons for the Industry

The TeamPCP attack reinforces several trends that security teams have been warning about for years.

Security tools are high-value targets. Compromising Trivy — a tool that security teams run against their most sensitive infrastructure — gave the attacker access to exactly the environments with the most valuable credentials. Security tooling supply chains deserve the highest scrutiny, not the implicit trust they typically receive.

Typosquatting remains devastatingly effective. The litellm-proxy package name was close enough to the legitimate litellm that teams installed it without suspicion. Automated tooling can catch known typosquats, but novel ones — especially those that function correctly while exfiltrating data — require behavioral analysis that most teams do not yet have in place.

Cascade attacks multiply impact exponentially. A single stolen token would normally compromise a handful of packages. By designing each stage to harvest credentials for the next stage, TeamPCP turned one token into a cross-ecosystem incident spanning npm, PyPI, and potentially cloud infrastructure. Blast radius analysis — understanding what a single compromised credential can reach — should be a standard exercise for every engineering organization.

The most uncomfortable lesson: the attacker did not exploit a zero-day vulnerability. Every technique used — token theft, automated publishing, postinstall script injection, typosquatting — has been documented and warned about for years. The attack succeeded because common security advice remains commonly unimplemented.

Secure Your Development Pipeline Today

The TeamPCP attack is a reminder that supply chain security is not optional and not someone else's problem. Every team that installs packages, runs CI pipelines, or uses open-source security tools has a responsibility to harden their own systems against these attacks.

At wowhow.cloud, we build developer security templates and CI/CD hardening configurations that implement the exact practices described in this article — from OIDC token workflows and dependency pinning configurations to publish attestation pipelines and anomaly monitoring setups. These are production-tested templates that you can deploy into your existing GitHub Actions, GitLab CI, or Jenkins pipelines in minutes rather than building from scratch.

Browse our developer security and DevOps template collection at wowhow.cloud/products and use code SECUREPIPE25 for 25% off any CI/CD security template. The cost of not hardening your pipeline just went up considerably.