A China-adjacent threat cluster known as TeamPCP has converted four trusted open-source security projects — Trivy, KICS, LiteLLM, and Telnyx's PyPI package — into delivery vehicles for credential-stealing malware. Within hours of each compromise, attackers were validating harvested AWS access keys, Azure application secrets, and SaaS tokens against live production environments. For SAMA-regulated Saudi banks running cloud-native fintech infrastructure, this campaign reframes what "third-party risk" actually means in 2026.

TeamPCP's Multi-Stage Supply Chain Operation

TeamPCP — also tracked as DeadCatx3, PCPcat, and ShellForce — has been operationally active since 2024 but pivoted in mid-2025 toward stealing CI/CD credentials at industrial scale. The current wave began on March 19, 2026, when malicious code injected into Trivy's release pipeline began exfiltrating environment variables, GitHub Personal Access Tokens, AWS keys, Azure secrets, and SSH keys from any developer or build runner that imported the poisoned version. Wiz CIRT and Palo Alto Unit 42 telemetry confirms that within 24 hours of credential theft, the actor was running AWS discovery against compromised tenants — a tight intrusion-to-impact window most detection programs are not built to catch.

How Stolen Credentials Become Bank-Wide Compromise

Once inside victim AWS environments, TeamPCP used Trufflehog to validate harvested keys, then enumerated S3 buckets, Secrets Manager entries, and databases. The actor abused the ECS Exec feature to execute Bash and Python directly inside running containers, bypassing image-scanning controls and most EDR coverage. In parallel, GitHub Actions workflows were hijacked to clone private repositories at scale, and Azure application secrets were validated for tenant-wide blast radius. Mandiant counts more than 1,000 impacted SaaS environments and over 340 GB exfiltrated, with the European Commission among 71 confirmed EU entity victims. The blast pattern is consistent: one developer's poisoned dependency becomes one organization's full cloud takeover within a working day.

Impact on SAMA-Regulated Saudi Financial Institutions

The Saudi banking sector's accelerated migration to cloud — driven by Vision 2030 fintech expansion and SAMA's Cloud Computing Regulatory Framework — has made CI/CD pipelines the new perimeter. Every SAMA-regulated bank running mobile banking, payment gateways, or open banking APIs maintains build pipelines that import dozens of third-party packages weekly. The SAMA Cyber Security Control Cybersecurity Compliance (CSCC) framework explicitly mandates third-party cyber security risk management (control 3.3.15) and secure software development lifecycle requirements (3.3.13). NCA ECC subdomain 2-12 reinforces these requirements with supply chain assurance obligations, and PDPL adds breach notification timelines that begin the moment exfiltrated customer data hits a leak site. A TeamPCP-style intrusion would fail every one of these controls simultaneously.

Recommended Defensive Actions

  1. Enforce short-lived, OIDC-federated cloud credentials inside CI/CD runners — eliminate long-lived AWS access keys and Azure client secrets stored as build variables.
  2. Pin all open-source dependencies by cryptographic hash (npm integrity, pip hash-checking mode, Go module checksums) and review every Renovate or Dependabot PR rather than auto-merging.
  3. Deploy egress filtering and DNS allow-listing on build agents — TeamPCP's exfiltration relied on outbound calls to attacker-controlled domains that egress controls would have blocked.
  4. Rotate all developer GitHub PATs to fine-grained tokens, and require SAML-enforced SSO with hardware key MFA for any account with repository write access.
  5. Enable AWS CloudTrail and Azure Activity Log analytics tuned for Trufflehog-style key validation patterns and ECS Exec invocations against production workloads.
  6. Run a tabletop exercise specifically modeled on the TeamPCP kill chain to validate that SOC playbooks, SAMA incident reporting timelines, and PDPL breach notification workflows actually work under pressure.

Conclusion

TeamPCP is not a theoretical risk — it has already breached more than a thousand cloud and SaaS tenants by weaponizing the very tools security teams trust. Saudi banks face a stark choice: treat their build pipelines and cloud secret stores as production-tier assets governed by SAMA CSCC and NCA ECC, or accept that the next supply chain attack lands inside the bank without anyone clicking a phishing link. The window between "open-source maintainer compromised" and "regulator-reportable breach" is now measured in hours.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment focused on CI/CD pipeline security, cloud secret hygiene, and supply chain risk mapped to SAMA CSCC and NCA ECC controls.