On July 2, 2026, the FBI released a critical FLASH alert regarding the criminal group "TeamPCP." This actor has successfully compromised widely used developer and security tools, poisoning the software supply chain to facilitate widespread credential theft. Unlike standard malware campaigns, TeamPCP’s approach leverages the inherent trust placed in development utilities. By injecting malicious code into software updates and trusted binaries, they gain access to sensitive environments, steal cloud credentials, spread malware, and ultimately extort victims.
For security practitioners, this represents a high-risk shift in threat landscape dynamics. The compromise of a trusted developer tool bypasses traditional perimeter defenses, allowing the attacker to operate with the same privileges as the trusted software. This post provides a technical breakdown of the TeamPCP TTPs ( Tactics, Techniques, and Procedures) and actionable detection and remediation guidance to secure your development and cloud environments.
Technical Analysis
Attack Vector: Poisoned Development Tools TeamPCP targets the software update mechanisms of widely used developer and security tools. By compromising the update infrastructure or signing keys (or exploiting vulnerabilities in the update process), they deliver malicious payloads disguised as legitimate software updates. Once installed, the poisoned tool executes malicious code within the context of the trusted application, often evading application allow-listing and behavioral monitoring.
Post-Exploitation: Cloud Credential Theft The primary objective of the TeamPCP campaign appears to be the theft of cloud credentials. The malicious components within the compromised tools scan the local filesystem, memory, and environment variables for sensitive tokens, API keys, and credentials associated with major cloud providers (AWS, Azure, GCP).
Impact and Extortion After harvesting credentials, TeamPCP utilizes them to move laterally into cloud environments, exfiltrate data, or deploy ransomware. The FBI alert confirms that the group is actively extorting victims, leveraging stolen data and encrypted systems to demand payment.
Affected Platforms: While the specific tools were not named in the summary, the attack vector targets cross-platform developer utilities (Windows, Linux, macOS). Any environment utilizing automated software updates for developer tooling is at potential risk.
Detection & Response
Detecting poisoned dev tools requires a shift from looking for "malware" to looking for "anomalous behavior" within trusted processes. The following rules focus on suspicious child process execution by development tools and unauthorized access to cloud credential stores.
SIGMA Rules
---
title: TeamPCP - Suspicious Child Process from Dev Tool
id: 8a4b1c92-6d3e-4a5f-9b1c-2d3e4f5a6b7c
status: experimental
description: Detects suspicious command-line shells or scripts spawned by common development tools, potentially indicating a poisoned binary or supply-chain attack.
references:
- https://www.fbi.gov/news/2026/july-2-fbi-flash-teampcp-dev-tools
author: Security Arsenal
date: 2026/07/03
tags:
- attack.execution
- attack.t1059.001
- attack.t1059.003
logsource:
category: process_creation
product: windows
detection:
selection_devtools:
ParentImage|contains:
- '\Code.exe'
- '\idea64.exe'
- '\eclipse.exe'
- '\sublime_text.exe'
- '\devenv.exe'
- '\dotnet.exe'
selection_shells:
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\wsl.exe'
- '\bash.exe'
condition: selection_devtools and selection_shells
falsepositives:
- Legitimate developer debugging or build scripts (Verify command line arguments)
level: high
---
title: TeamPCP - Unauthorized Access to Cloud Credential Files
id: 9c5d2a03-7e4f-5b6a-0c2d-3e4f5a6b7c8d
status: experimental
description: Detects non-standard processes accessing AWS/Azure credential files on disk, a common behavior of tooling infected by TeamPCP.
references:
- https://www.fbi.gov/news/2026/july-2-fbi-flash-teampcp-dev-tools
author: Security Arsenal
date: 2026/07/03
tags:
- attack.credential_access
- attack.t1552.001
logsource:
category: file_access
product: windows
detection:
selection_files:
TargetFilename|contains:
- '\.aws\credentials'
- '\.aws\config'
- '\.azure\accessTokens.'
- '\.azure\azureProfile.'
- '\_netrc'
selection_exclude:
Image|contains:
- '\Program Files\'
- '\aws.exe'
- '\az.exe'
- '\git.exe'
- '\ssh.exe'
condition: selection_files and not selection_exclude
falsepositives:
- Custom scripts or third-party tools legitimately managing cloud creds
level: medium
KQL (Microsoft Sentinel)
// Hunt for Dev Tools spawning suspicious processes
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where InitiatingProcessFileName in~ ("Code.exe", "idea64.exe", "eclipse.exe", "sublime_text.exe", "devenv.exe", "dotnet.exe")
| where ProcessFileName in~ ("powershell.exe", "cmd.exe", "wsl.exe", "bash.exe", "pwsh.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessFileName, ProcessCommandLine, SHA256
| order by Timestamp desc
// Hunt for access to Cloud Credential files by non-standard processes
DeviceFileEvents
| where Timestamp >= ago(7d)
| where FileName in~ ("credentials", "config", "accessTokens.", "azureProfile.", "_netrc")
| where FolderPath contains ".aws" or FolderPath contains ".azure" or FileName == "_netrc"
| where not(
InitiatingProcessFileName in~ ("explorer.exe", "code.exe", "notepad.exe", "aws.exe", "az.exe", "git.exe", "ssh.exe", "vscode.exe") or
InitiatingProcessFolderPath contains @"\Program Files\"
)
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, ActionType, SHA256
| order by Timestamp desc
Velociraptor VQL
-- Hunt for Dev Tools spawning Shells or network connections
LET suspicious_devtools = dict(
`Code.exe`, `JetBrains\IDEA\`, `eclipse.exe`, `devenv.exe`, `sublime_text.exe`
)
SELECT Pid, Name, Exe, CommandLine, Parent.Pid AS ParentPid, Parent.Name AS ParentName
FROM pslist()
WHERE Name IN ('powershell.exe', 'cmd.exe', 'bash.exe', 'wsl.exe')
AND Parent.Name IN suspicious_devtools
-- Hunt for modifications to cloud credential files in user directories
SELECT FullPath, Mtime, Size, Mode
FROM glob(globs="/*/.aws/credentials", globs="/*/.azure/accessTokens.")
WHERE Mtime > now() - 7d
Remediation Script (PowerShell)
# Remediation Script: Check Integrity of Common Dev Tools
# Run as Administrator
Write-Host "[+] Checking digital signatures of common Developer Tools..." -ForegroundColor Cyan
$DevToolsPaths = @(
"${env:ProgramFiles}\Microsoft VS Code",
"${env:ProgramFiles}\JetBrains",
"${env:ProgramFiles}\Git",
"${env:LocalAppData}\Programs\Microsoft VS Code"
)
$SuspiciousFiles = @()
foreach ($Path in $DevToolsPaths) {
if (Test-Path $Path) {
Write-Host "[INFO] Scanning: $Path" -ForegroundColor Yellow
$Files = Get-ChildItem -Path $Path -Recurse -Include *.exe, *.dll -ErrorAction SilentlyContinue |
Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) }
foreach ($File in $Files) {
$Sig = Get-AuthenticodeSignature -FilePath $File.FullName
if ($Sig.Status -ne "Valid") {
Write-Host "[!] WARNING: Unsigned or invalid signature found: $($File.FullName)" -ForegroundColor Red
$SuspiciousFiles += $File.FullName
}
}
}
}
if ($SuspiciousFiles.Count -eq 0) {
Write-Host "[+] No suspicious file modifications found in standard paths." -ForegroundColor Green
} else {
Write-Host "[!] CRITICAL: Please review the files listed above immediately." -ForegroundColor Red
Write-Host "[+] Recommendation: Re-install affected development tools from official vendor sources." -ForegroundColor Yellow
}
# Check for recent access to cloud credential files
Write-Host "[+] Checking for recent modifications to cloud credential files..." -ForegroundColor Cyan
$CredPaths = @(
"$env:USERPROFILE\.aws\credentials",
"$env:USERPROFILE\.azure\accessTokens."
)
foreach ($CredPath in $CredPaths) {
if (Test-Path $CredPath) {
$Item = Get-Item $CredPath
if ($Item.LastWriteTime -gt (Get-Date).AddDays(-7)) {
Write-Host "[!] WARNING: Cloud credential file modified recently: $CredPath" -ForegroundColor Red
}
}
}
Remediation Steps
- Verify Software Integrity: Immediately verify the digital signatures of all installed developer tools, CI/CD agents, and security scanners. Re-install any software with invalid signatures or suspicious modification dates directly from the official vendor websites.
- Credential Rotation: Assume that any cloud credentials (AWS Access Keys, Azure Service Principals, GCP Service Accounts) present on workstations with compromised tools are compromised. Force-rotate these credentials immediately.
- Review Cloud Logs: Audit CloudTrail (AWS), Sentinel (Azure), and Cloud Audit Logs (GCP) for anomalous API calls originating from IP addresses associated with your development workstations during the compromise window.
- Isolate Affected Systems: If a specific poisoned tool is identified, isolate the host(s) running that tool from the network to prevent further C2 communication or lateral movement.
- Patch and Update: Apply the latest security patches to all development software once the vendor has confirmed a clean build. Enable mechanisms such as "Verify checksums" before installing any future updates.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.