The Reveal Platform
Intel Name: Analyzing teampcp’s supply chain attacks: checkmarx kics and elementary-data in ci/cd credential theft
Date of Scan: May 15, 2026
Impact: High
Summary: Security leaders now face a growing threat within the software development process. A sophisticated group known as TeamPCP has launched a targeted supply chain attack. This campaign exploits the trust we place in automated development tools. Specifically, the attackers distributed malicious packages that look like legitimate security tools. These include mimics of Checkmarx KICS and elementary-data. By hiding code inside these essential tools, the actors have started a massive supply chain attack. For executives, this incident reveals a major risk. The tools used to secure your code are now being used for credential theft and unauthorized access.
The group behind this activity is TeamPCP. Their main goal is to steal secrets and credentials from development pipelines. In today’s world, these pipelines are the core of business innovation. They manage everything from your private source code to your cloud access keys. TeamPCP is not looking for a fast payday. Their goal is long-term and strategic. By stealing administrative credentials, they can gain broad access to critical cloud and development resources. This allows them to stay inside your cloud infrastructure for a long time. They can watch your activities, steal your software, or wait for the right moment to disrupt your operations.
When a supply chain attack hits your development pipeline, the damage goes far beyond IT. For a business leader, this is a direct threat to your most valuable assets. These assets include your intellectual property and your reputation. If an attacker enters your development environment, they can see the plans for your entire digital business. They can even add hidden backdoors into your software before you sell it to customers. This could put every one of your users at risk.
Also, losing cloud credentials leads to massive operational trouble. Unauthorized people in your cloud can cause “cryptojacking.” This is when they use your servers to mine digital money on your dime. In some cases, attackers may disrupt cloud workloads, delete critical resources, or impact business operations. The damage to your brand after such a breach is often permanent. Partners and customers will doubt the safety of any product you build in a compromised environment.
To understand TeamPCP, think about a professional kitchen. A chef trusts that the ingredients from a verified vendor are safe. A supply chain attack is like a fake supplier delivering poisoned spices. Because the chef uses these spices in every meal, the entire menu becomes dangerous. This happens long before the food ever reaches a customer’s table.
In this case, TeamPCP poisoned digital ingredients. They distributed malicious packages designed to imitate trusted open-source development tools. Developers and automated systems thought they were downloading real security tools. Instead, they pulled in the “poisoned” code. Once inside your system, the code began searching for passwords and access tokens. It then sent this private data to the attackers. This method works because it bypasses normal security. Most defenses look for outside intruders, but this threat is brought inside by your own automated processes.
Gurucul provides a strong defense against TeamPCP. We focus on how users and data behave within your development lifecycle. A supply chain attack might let a bad package into your system, but that package must eventually act. It will try to do something unusual to reach its goal. Gurucul is built to find these unusual actions in real-time.
We do not need to know what the “poison” looks like beforehand. Instead, we know what a healthy system looks like. If a tool suddenly tries to access cloud keys it does not need, we see it. If it starts talking to a strange server in another country, we flag it. Gurucul identifies this as a high-risk event. We look at identity, access logs, and network traffic all at once. This gives your security team a clear warning. They can stop the connection before your credentials are stolen.
Stopping a complex supply chain attack requires more than just basic logs. You need the advanced power of Gurucul Next-Generation SIEM. Our platform gathers data from your entire pipeline and cloud. It uses machine learning to find the small signs of credential theft. It treats every automated tool like a person and monitors its behavior. When TeamPCP tries to use your own tools against you, Gurucul sees the truth. We flag the activity as high-risk and help security teams respond before additional credentials or sensitive data are exposed.
The main goal of TeamPCP is to steal identities and access rights. Gurucul identity analytics are built to protect these targets. We continuously evaluate the risk level of accounts and identities across your environment. Our platform can automatically start security measures if an account looks compromised. This proactive approach keeps you safe. Even if an attack gets past your first defenses, the attacker is watched closely. Suspicious identity activity is continuously analyzed for indicators of compromise and abnormal behavior.
For a full technical look at the signs of this attack and the methods used, please visit the Gurucul Community.
