TeamPCP Hackers Target AI Developers with Malicious Code Injections

A large-scale software supply chain attack linked to the threat actor group “TeamPCP” has triggered a high-priority alert from the FBI Cyber Division, after attackers successfully compromised widely used developer tools in the artificial intelligence (AI) ecosystem.

The campaign highlights a growing trend of adversaries targeting AI development pipelines to inject malicious code at scale.

Initial Breach via Trivy Scanner

The attack began with Trivy, a popular open-source vulnerability scanner maintained by Aqua Security.

According to available reports, TeamPCP exploited weak credential management practices and deployed an automated agent to manipulate Trivy into exposing its GitHub authentication tokens.

These credentials enabled the attackers to push malicious updates directly into the public repository.

Aqua Security confirmed that only the open-source version of Trivy was affected, while its enterprise customers remained protected.

However, the compromise created a critical foothold for further attacks, as many development environments rely on Trivy for continuous security scanning.

Building on the initial breach, TeamPCP moved laterally into LiteLLM, an open-source AI gateway widely used to connect applications with major large language models such as GPT-5 and Claude.

Because LiteLLM’s development pipeline depended on the compromised Trivy package, attackers were able to extract sensitive publishing credentials.

Using these keys, the group distributed trojanized versions of LiteLLM, impacting an estimated 95 million users.

The malicious updates remained undetected until developers began reporting system crashes and abnormal behavior, prompting an investigation.

LiteLLM has since engaged Google-owned Mandiant to conduct a forensic analysis and secure its infrastructure.

Notably, TeamPCP leveraged artificial intelligence to enhance its attack capabilities. A representative associated with the group claimed that Anthropic’s Claude model was used to generate malware components and automate various stages of the intrusion.

Security researchers observed multiple tactics in the campaign:

• Lateral movement across compromised environments using AI-generated scripts
• Automated harvesting of GitHub tokens and publishing credentials
• Rapid deployment of malicious updates through trusted software channels

This use of AI significantly reduced development time for malicious payloads and increased the efficiency of the attack lifecycle.

TeamPCP is believed to operate as an initial access broker (IAB), a role increasingly common in the cybercrime ecosystem.

Instead of deploying ransomware directly, the group monetizes intrusions by selling access to other threat actors or extorting affected organizations.

This model allows them to scale operations while minimizing exposure, making detection and attribution more difficult for defenders.

The incident underscores systemic weaknesses in modern software supply chains, particularly within AI development environments.

Many organizations rely heavily on open-source tools without implementing rigorous validation or secrets management controls.

Cybersecurity experts emphasize that trust in third-party components must be paired with verification.

Key recommendations include:

• Enforcing strict API key and credential management policies
• Conducting internal audits of open-source dependencies
• Verifying software integrity before deployment
• Monitoring for anomalous behavior in development pipelines

As AI adoption accelerates, attackers are increasingly targeting the tools and frameworks that underpin these systems.

The TeamPCP campaign serves as a stark reminder that securing the AI supply chain is now a critical priority for organizations worldwide.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post TeamPCP Hackers Target AI Developers with Malicious Code Injections appeared first on Cyber Security News.