TeamPCP Supply Chain Attacks Target Docker Hub, PyPI, and VS Code
- [01] Immediate impact: Malicious code injection across major open-source repositories threatens developer environments and production CI/CD pipelines.
- [02] Affected systems: Docker Hub images, VS Code extensions, NPM packages, and PyPI libraries are targeted through repository and tag manipulation.
- [03] Remediation: Organizations must implement cryptographic verification for all external dependencies and strictly monitor GitHub Action tag changes.
Recent research into the Supply Chain Attack landscape reveals an aggressive expansion by the threat actor group known as TeamPCP. Initially identified for targeting GitHub Action tags—specifically those associated with the security scanner Trivy—the group has since diversified its TTP to encompass a broad array of open-source software (OSS) platforms. According to SecurityWeek, this campaign now involves the distribution of malicious payloads through Docker Hub, VS Code Marketplace, NPM, and PyPI.
Analyzing TeamPCP Supply Chain Attack Methods
The initial phase of the campaign focused on compromising GitHub Action tags. By manipulating versions of popular actions, the attackers could ensure that any CI/CD pipeline pulling the latest tag would execute malicious code. This method is particularly effective because many organizations rely on “floating” tags (e.g., @v1) rather than pinning to a specific commit hash. This vulnerability allows for a silent IoC to be introduced into the build process without immediate detection.
The shift toward platforms like Docker Hub and PyPI indicates a move toward opportunistic tactics designed to maximize the footprint of their C2 infrastructure. By uploading malicious Docker images or Python packages that mimic popular utilities, TeamPCP exploits the trust inherent in the OSS community. Organizations often assume that packages from reputable-sounding developers or those with high download counts are inherently safe, which is a premise TeamPCP actively exploits.
Securing VS Code Extensions and Docker Hub Images
Defenders must adapt their security posture to address these multi-platform threats. To detect TeamPCP supply chain attack activity, security teams should prioritize the auditing of third-party extensions and container images. In the VS Code Marketplace, attackers often use “typosquatting” or masquerade as legitimate developers to trick users into installing backdoored extensions. These extensions can then be used to steal credentials or gain access to the developer’s underlying machine.
Similarly, Docker Hub images can be embedded with malicious layers that execute during the image build or container runtime. Organizations should implement image scanning as part of their SOC procedures and only pull from verified publishers or private registries. Standardizing on internal, hardened base images rather than pulling directly from public repositories significantly reduces the attack surface available to groups like TeamPCP.
Collaboration with Lapsus$ Group
One of the most concerning developments in this campaign is the reported collaboration between TeamPCP and the Lapsus$ group. Lapsus$ is notorious for its high-profile data breaches and extortion tactics. This partnership suggests that TeamPCP may be providing initial access or infrastructure, while Lapsus$ focuses on data exfiltration or more destructive operations.
The integration of Lapsus$ tactics could lead to more sophisticated social engineering or the use of compromised credentials to gain administrative access to repository accounts. This highlights the need for a Zero Trust architecture where repository access is strictly governed and monitored. No single user or service should have unverified permission to alter production-level library tags or image repositories.
GitHub Action Tag Manipulation Defense
To mitigate the risk of tag manipulation, organizations must enforce policies that require pinning GitHub Actions to specific SHA-1 commit hashes. While tags can be moved by repository owners (or attackers who have compromised the owner’s account), a commit hash is immutable. This is the primary github action tag manipulation defense available to developers today.
Furthermore, the use of automated dependency management tools should be configured to alert on any unexpected changes in the source repository. Monitoring for changes in the version tags of critical tools like Trivy is essential for maintaining the integrity of the security scanning process itself. If the scanner itself is compromised, the results of all subsequent security checks become untrustworthy.
Recommended Mitigations
- Pin Dependencies: Always use SHA-1 hashes for GitHub Actions and specific versions or hashes for Docker images and NPM/PyPI packages.
- Audit Extensions: Limit the installation of VS Code extensions to a pre-approved list and monitor for unauthorized additions to developer environments.
- Registry Verification: Use private registries for container images and package hosting to ensure a controlled and scanned entry point.
- Multi-Factor Authentication: Enforce MFA for all accounts with publishing rights to public repositories to prevent account takeovers that facilitate supply chain compromises.
By focusing on these technical controls, organizations can reduce their exposure to TeamPCP’s evolving campaign and ensure the reliability of their development pipelines.
Advertisement