Actor2026

TeamPCP

2Rules

4References

1Folders

2026-03-30Latest

Summary

TeamPCP is tracked here as a threat actor, intrusion set, or campaign with 2 Sigma detections spanning 2026. Coverage centers on linux / file_event, linux / process_creation.

Related Detections

Search this threat

Emerging Threathighexperimental

LiteLLM / TeamPCP Supply Chain Attack Indicators

Detects process executions related to the backdoored versions of LiteLLM (v1.82.7 or v1.82.8). In March 2026, a supply chain attack was discovered involving the popular open-source LLM framework LiteLLM by Threat Actor TeamPCP. The malicious package harvests every credential on the system, encrypts and exfiltrates them, and installs a persistent C2 backdoor.

LinuxProcess Creation

TA0001 · Initial AccessT1195.002 · Compromise Software Supply ChainTA0009 · CollectionT1560.001 · Archive via Utility+4

Swachchhanda Shrawan Poudel (Nextron Systems)Mon Mar 302026

Emerging Threathighexperimental

TeamPCP LiteLLM Supply Chain Attack Persistence Indicators

Detects the creation of specific persistence files as observed in the LiteLLM PyPI supply chain attack. In March 2026, a supply chain attack was discovered involving the popular open-source LLM framework LiteLLM by Threat Actor TeamPCP. The malicious package harvests every credential on the system, encrypts and exfiltrates them, and installs a persistent C2 backdoor.

LinuxFile Event

TA0003 · PersistenceTA0004 · Privilege EscalationT1543.002 · Systemd ServiceTA0001 · Initial Access+2

Swachchhanda Shrawan Poudel (Nextron Systems)Mon Mar 302026

References