Five registries. Eight phases. Thirty-three days. One group.

TeamPCP — also known as PCPcat, ShellForce, DeadCatx3, CipherForce, Persy_PCP — chained attacks against GitHub Actions, npm, Docker Hub, PyPI, and OpenVSX in a campaign that still has not ended. They compromised vulnerability scanners, supply chain security tools, AI gateways, telephony packages, and — while we were writing this — the most-used HTTP library on the planet. Then they pivoted to ransomware.

The thesis fits in one line: the supply chain security industry cannot protect its own supply chain.

We are not the ones saying it. They are, from their 700+ member Telegram channel:

"These companies were made to protect your supply chains and can't even protect their own."

This is not an article about LiteLLM — we already wrote that one. This is the full map of the largest documented cascading supply chain campaign of 2026.

One hundred million reasons

[This development occurred while writing this article.]

axios@1.14.1 — over one hundred million weekly downloads, present in 80% of cloud environments according to Wiz — appeared on March 30 with a dependency that did not exist twenty-four hours earlier: plain-crypto-js@4.2.1.

Not one version — two. Also axios@0.30.4. The attacker compromised the npm account of jasonsaayman, the lead maintainer of axios, changed the registered email to a Proton Mail address (ifstap@proton.me), and published both versions via CLI. The injected dependency — plain-crypto-js — was falsely attributed to Evan Vosberg (the real author of crypto-js) and pointed to the legitimate brix/crypto-js repo. Flawless typosquatting.

The postinstall script deployed a full cross-platform RAT in fifteen seconds: macOS via shell, Windows via PowerShell, Linux via bash. It harvested credentials, SSH keys, cloud tokens. It self-destructed after execution. Socket documented that the payload was downloaded from an external server and executed in memory.

The malicious versions were removed by npm at 03:29 UTC. Wiz observed execution in 3% of affected environments — which, given 80% presence in cloud environments, is a massive attack surface. The Hacker News, Hackread, and CyberInsider covered the incident as one of the largest supply chain breaches of the year.

Attribution to TeamPCP is not confirmed. No vendor has formally linked it at time of publication. But the pattern — maintainer hijacking, postinstall scripts, timing three days after Telnyx — is identical to the campaign's MO. CanisterWorm automatically enumerated every package from each compromised maintainer to republish them with payload. If the axios maintainer was compromised at any point between March 19 and 27, their npm token was stolen. And with that token, publishing two poisoned versions is a trivial operation.

Confirmed or not, axios is already the largest supply chain incident of 2026 by impact surface. From 3.4M daily downloads (LiteLLM) to 100M weekly (axios). The escalation is not linear — it is exponential.

The TeamPCP campaign

It all started with a cloud worm. Between December 2025 and February 2026, TeamPCP compromised over 60,000 servers via exposed Docker, unauthenticated Kubernetes, open Ray, passwordless Redis. It was not sophisticated. It did not need to be. It was the entrance exam.

On March 19, graduation. TeamPCP rewrote 76 of 77 tags in aquasecurity/trivy-action — the vulnerability scanner that runs in CI/CD across the entire ecosystem. A PAT stolen from the hackerbot-claw bot via pull_request_target. CVE-2026-33634, CVSS 9.4, CISA added it to the KEV. CrowdStrike detected it first. GitGuardian verified 474 public repos compromised — lower bound, excluding private repos.

The paradox: the most diligent organizations — the ones scanning every build — had the greatest exposure. As SANS Institute titled it: "When the Security Scanner Became the Weapon."

From there, the cascade:

March 20 — npm. CanisterWorm infected 66+ packages with a self-propagating worm. C2 via Internet Computer Protocol canisters — blockchain as command and control. Decentralized, immutable, impossible to take down.

March 22 — Docker Hub. Malicious Trivy images v0.69.4 through v0.69.6. 44 GitHub repos defaced. The images stole credentials silently. The defacement was noise.

March 23 — Checkmarx. All tags in kics-github-action compromised. A company that sells supply chain security. Sysdig confirmed identical payload to Trivy's. Their response: "we have no knowledge of impact." As if the alarm company handed the burglars the keys.

March 24 — LiteLLM. CEO's PyPI credentials stolen via compromised Trivy. .pth persistence — executes in every Python process without an import. Live for three hours, 47,000 downloads. Wiz reports LiteLLM in 36% of cloud environments. The world found out because of an accidental fork bomb. Full coverage here.

March 27 — Telnyx. Steganography in WAV files. Each 16-byte frame: 8 bytes of XOR payload + 8 bytes of key. Windows persistence. Sophistication evolved with each phase.

March 28 — Ransomware. Partnership with LAPSUS$ via Vect ransomware. Databricks investigating. ~300GB of compressed credentials. Mandiant estimates 1,000 to 10,000 SaaS environments compromised.

The scanner paradox

Why start with security tools? Because they run with elevated privileges by design — they need to read code, dependencies, CI secrets. Because they are trusted by default. Because they sit in every pipeline. Because they have access to every secret as a functional requirement. And because nobody scans them.

One stolen PAT → 76 tags → 474+ repos → PyPI, npm, Docker Hub tokens → 1,705 downstream packages → millions of users. Noelle Murata distilled it: "outsourcing your root access to anyone who can phish a single package maintainer."

Dan Lorenc, CEO of Chainguard, called the mutable tag design in GitHub Actions "plain irresponsible." Tags with no transparency log, no cryptographic signature. One git push -f and the downloaded code is something else. Nobody pins to SHA. Convenience wins. It always wins.

And there is something that makes this campaign's C2 especially significant. The founder of paila.news was a direct target of an attack using the same conceptual pattern — blockchain as a C2 dead drop — but executed by Lazarus Group (DPRK) using TRON instead of ICP. Transactions of 1 sun to the burn address with encrypted payloads, XOR keys from BSC. Detected before execution. A criminal group and a nation-state arrived independently at the same architectural solution. Not a coincidence. Natural selection.

The loop did not close

The campaign is still active. The ICP canisters are still online. The backdoors poll C2 every five to fifty minutes. The 300GB of credentials are a time bomb — not all were rotated, not all will be. Some organizations do not even know they were compromised.

Trivy scans vulnerabilities. Checkmarx protects supply chains. LiteLLM centralizes AI keys. axios is the HTTP library in every JavaScript project. The tools that exist to protect you — and the ones you use to build — were the attack vector. And right now, in some pipeline nobody has audited, a mutable tag points to a commit nobody verified.

The loop did not close.

It expanded.