Analyzing TeamPCP's Supply Chain Attacks: Checkmarx KICS and elementary-data in CI/CD Credential Theft
Trend Micro, Wednesday, May 13th, 2026
Trend Micro analyzes TeamPCP's multi-wave supply chain campaign targeting CI/CD workflows to steal credentials across multiple programming ecosystems.
Trend Micro Research examined the April 22 Checkmarx KICS and April 24 elementary-data incidents as part of TeamPCP's broader supply chain campaign spanning at least seven confirmed waves from March to April 2026.
The threat actor abused trusted CI/CD and release workflows across Docker Hub, VS Code, GitHub Actions, PyPI, and other distribution channels to steal credentials at scale, including GitHub PATs, npm tokens, cloud credentials, SSH keys, and cryptocurrency wallet keystores. The KICS attack involved sophisticated multi-channel poisoning and obfuscated payloads, while the elementary-data attack was technically simpler but more concerning, requiring only a single unsanitized pull request comment to compromise the project's release pipeline.
Organizations using GitHub Actions, PyPI, Docker Hub, and other cloud-connected CI runners face direct exposure to this risk, with the campaign demonstrating how attackers can bypass standard verification checks by leveraging legitimate project infrastructure and signing capabilities.