What happened
The FBI issued FLASH-20260702-01 (July 2, 2026) warning that TeamPCP — a threat group linked to 'The Com' — has, throughout 2026, trojanized updates to widely used developer and security tools, explicitly including LiteLLM (a widely deployed open-source LLM/AI gateway), to steal cloud credentials at scale. Sophos reported (July 2) that TeamPCP has since partnered with the Vect ransomware group in what researchers call an 'unprecedented industrialized' ransomware model, combining TeamPCP's credential-harvesting reach with Vect's ransomware deployment.
Why it matters
This directly targets the AI supply chain — LiteLLM is a widely-deployed AI gateway sitting in front of many production LLM deployments — and the self-propagating Mini Shai-Hulud/Miasma worms mean a single compromised package can cascade credential theft across the npm/PyPI ecosystem that most AI/ML tooling depends on, with the stolen cloud/K8s secrets enabling downstream ransomware deployment.
Attack vector
TeamPCP compromised trusted software distribution channels, injecting malicious code into legitimate package updates (including the LiteLLM AI gateway) to install credential-stealing malware (CanisterWorm, SANDCLOCK) and self-replicating supply-chain worms (Mini Shai-Hulud and its variant Miasma) that propagate across npm and PyPI, harvesting cloud tokens (AWS/GCP/Azure), SSH keys, and Kubernetes secrets from developer and AI-pipeline environments.
Affected systems
Developer/security tooling including LiteLLM (widely-used open-source LLM gateway), Trivy, KICS, Telnyx Python SDK, and any CI/CD pipeline consuming npm/PyPI packages
Mitigation
Pin all GitHub Actions workflows to verified commit hashes; rotate all CI/CD secrets and cloud credentials; enforce a minimum package-age threshold (7+ days) before adoption; audit npm/PyPI maintainer accounts; search repos for known IOCs (e.g. 'tpcp-docs', 'docs-tpcp'); see FBI FLASH-20260702-01.