The TeamPCP Attack: How One Stolen Token Compromised Trivy, LiteLLM, and 47 npm Packages — What Every Developer Must Do Now

How to Check If You Are Affected

Every team that uses npm packages, Trivy, or LiteLLM should run these checks immediately.

Check for Compromised npm Packages

Run the following command in every project that has a node_modules directory or package-lock.json:

npx socket scan --lockfile package-lock.json --report teampcp-check

If you do not use Socket.dev, you can check manually against the published IOC list. Search your lockfile for any of the 47 affected packages at the compromised versions:

grep -E "(trivy-npm@0\.54\.0)" package-lock.json
npm audit --json | jq '.advisories | to_entries[] | select(.value.title | test("TeamPCP"))'

Check for the Malicious LiteLLM Package

The malicious package used the name litellm-proxy (with a hyphen), not the legitimate litellm package. Check your Python environments:

pip list | grep litellm-proxy
pip show litellm-proxy 2>/dev/null && echo "AFFECTED: litellm-proxy found" || echo "Clean"

Check for Compromised Trivy Wrapper

Only the npm-distributed wrapper was affected. If you install Trivy via Homebrew, apt, the official Docker image, or GitHub Releases binary, you were not affected. Check your npm installation:

npm list -g trivy-npm 2>/dev/null | grep "0.54.0" && echo "AFFECTED" || echo "Clean"
npm list trivy-npm 2>/dev/null | grep "0.54.0" && echo "AFFECTED" || echo "Clean"

Check CI/CD Logs for Exfiltration

The exfiltration endpoint used the domain telemetry-cdn[.]node-metrics[.]io. Search your network logs and CI runner output for connections to this domain:

grep -r "node-metrics\.io" /var/log/ 2>/dev/null
grep -r "telemetry-cdn" ~/.npm/_logs/ 2>/dev/null

If you find any matches, treat all credentials accessible to the affected CI environment as compromised and rotate them immediately.

Five CI/CD Hardening Steps Every Team Should Implement

The TeamPCP attack exploited patterns that remain common in most development organizations. These five steps directly address the vulnerabilities that made this attack possible.

1. Eliminate Long-Lived Tokens from CI Configurations

The root cause of the entire attack was a personal access token stored in a CI configuration file. Replace all long-lived tokens with short-lived, scoped credentials.

• Use GitHub’s OIDC token integration for cloud provider authentication — AWS, GCP, and Azure all support this natively
• For npm publishing, use npm provenance with GitHub Actions’ built-in OIDC rather than storing NPM_TOKEN as a repository secret
• Set maximum token lifetimes of 1 hour for any automation tokens that cannot be replaced with OIDC

# GitHub Actions: Use OIDC instead of stored NPM_TOKEN
permissions:
  id-token: write
  contents: read
steps:
  - uses: actions/setup-node@v4
    with:
      registry-url: 'https://registry.npmjs.org'
  - run: npm publish --provenance --access public
    env:
      NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} # Scoped, short-lived, org-managed

2. Pin Dependencies to Exact Versions with Hash Verification

Lockfiles record versions, but they do not guarantee the package content has not changed. Enable integrity hash verification and pin to exact versions:

• Use npm ci instead of npm install in all CI workflows — it enforces lockfile integrity
• Enable npm audit signatures to verify that packages were published by their expected maintainer
• For Python, use pip install --require-hashes -r requirements.txt to verify package integrity

# Generate requirements with hashes
pip-compile --generate-hashes requirements.in -o requirements.txt
# Install with hash verification
pip install --require-hashes -r requirements.txt

3. Scope CI Permissions to the Minimum Required

The stolen PAT had write access to 47 packages across 12 organizations. No single token should have that breadth of access.

• Use GitHub’s fine-grained personal access tokens scoped to individual repositories
• Set permissions blocks in GitHub Actions workflows to restrict GITHUB_TOKEN scope
• Separate publish credentials from build credentials — a CI job that runs tests should never have npm publish access
• Audit all OAuth app authorizations quarterly and revoke any that are no longer actively used

4. Implement Publish Attestation and Review Gates

Automated publishing without human review is the mechanism TeamPCP exploited. Add friction to the publish step:

• Require two-person approval for any package publish in your organization
• Use npm’s provenance attestations to create a verifiable link between a published package and its source commit
• Configure GitHub branch protection rules to prevent workflow dispatch from tokens alone — require a signed commit or manual approval

5. Monitor for Anomalous Package Behavior

The TeamPCP payloads were detected by Socket.dev’s automated analysis, not by traditional vulnerability scanners. Add behavioral monitoring to your dependency management:

• Integrate Socket.dev, Snyk, or Semgrep Supply Chain into your CI pipeline to flag packages with suspicious install scripts, network access, or filesystem reads
• Alert on any dependency version update that adds a postinstall script where none existed before
• Monitor outbound network connections from CI runners — legitimate builds rarely need to contact arbitrary external endpoints

Broader Lessons for the Industry

The TeamPCP attack reinforces several trends that security teams have been warning about for years.

Security tools are high-value targets. Compromising Trivy — a tool that security teams run against their most sensitive infrastructure — gave the attacker access to exactly the environments with the most valuable credentials. Security tooling supply chains deserve the highest scrutiny, not the implicit trust they typically receive.

Typosquatting remains devastatingly effective. The litellm-proxy package name was close enough to the legitimate litellm that teams installed it without suspicion. Automated tooling can catch known typosquats, but novel ones — especially those that function correctly while exfiltrating data — require behavioral analysis that most teams do not yet have in place.

Cascade attacks multiply impact exponentially. A single stolen token would normally compromise a handful of packages. By designing each stage to harvest credentials for the next stage, TeamPCP turned one token into a cross-ecosystem incident spanning npm, PyPI, and potentially cloud infrastructure. Blast radius analysis — understanding what a single compromised credential can reach — should be a standard exercise for every engineering organization.

The most uncomfortable lesson: the attacker did not exploit a zero-day vulnerability. Every technique used — token theft, automated publishing, postinstall script injection, typosquatting — has been documented and warned about for years. The attack succeeded because common security advice remains commonly unimplemented.

Secure Your Development Pipeline Today

The TeamPCP attack is a reminder that supply chain security is not optional and not someone else’s problem. Every team that installs packages, runs CI pipelines, or uses open-source security tools has a responsibility to harden their own systems against these attacks.

At wowhow.cloud, we build developer security templates and CI/CD hardening configurations that implement the exact practices described in this article — from OIDC token workflows and dependency pinning configurations to publish attestation pipelines and anomaly monitoring setups. These are production-tested templates that you can deploy into your existing GitHub Actions, GitLab CI, or Jenkins pipelines in minutes rather than building from scratch.

Browse our developer security and DevOps template collection at wowhow.cloud/products and use code SECUREPIPE25 for 25% off any CI/CD security template. The cost of not hardening your pipeline just went up considerably.