Threat Analysis: TeamPCP Supply Chain Attack and the Coming Patch Tsunami, What UK SMBs Need to Know

Threats & Attacks

Threat Analysis: TeamPCP Supply Chain Attack and the Coming Patch Tsunami, What UK SMBs Need to Know

By Mauven MacLeod ·

Hello, Mauven here.

This is your Daily Threat Analysis for 2nd May 2026.

Two things landed this week that individually are significant. Together, they are telling you something about where the threat landscape is heading and why the standard advice to “keep systems patched and use a reputable IT provider” is becoming increasingly insufficient on its own.

TeamPCP: When Your Security Tools Become the Attack Vector

Between late February and March 2026, a threat group tracked as TeamPCP conducted a deliberate, staged supply chain operation targeting open-source security infrastructure. The targets were not random. They chose tools that security teams trust: the Trivy vulnerability scanner, the KICS infrastructure-as-code security checker, the LiteLLM AI gateway, and the official Python SDK of Telnyx.

The Telnyx SDK attack is the one that warrants the most attention for anyone with a development function, an IT managed service provider, or a software supply chain of any description. The package has 750,000 monthly downloads. TeamPCP uploaded trojanised versions to PyPI — the Python package index that developers pull from automatically.

Here is what makes this technically notable, and what most of the coverage has glossed over: the attack used a three-stage architecture specifically designed to evade automated detection. The trojanised package triggered a platform-specific loader. That loader downloaded a second-stage payload hidden inside a WAV audio file using steganography — concealing executable code inside what looks, to most scanners, like a harmless sound file. That second stage then deployed a credential harvester that collected stored credentials, encrypted them, and exfiltrated them.

Steganography in delivery chains is not new. Using it against a package with three-quarters of a million monthly downloads, in a tool used by developers who are themselves building security infrastructure, is a considered choice. You compromise the people doing the defending.

The advisory also tags this campaign with the CanisterWorm wiper designation and CVE-2025-55182. The wiper element is significant. This was not purely an intelligence-gathering operation. The capability to destroy data was built in.

What the threat intelligence does not say is how many downstream organisations have already been affected without knowing it. The nature of supply chain compromises is that the blast radius is not visible at the point of initial disclosure. If a developer at your IT provider, your SaaS vendor, or your in-house team installed a compromised version of any of these packages between February and March 2026, the credential harvester has already done its work.

What UK SMBs Should Do Now

If you have a development team, an IT managed service provider, or any software that was built or updated in the past three months using Python dependencies:

  • Ask your IT provider or MSP to confirm whether any of the affected packages (telnyx Python SDK, Trivy, KICS, LiteLLM) are present in your environment or in tooling they use to manage your infrastructure.
  • Ask specifically whether they have a software composition analysis (SCA) process — a mechanism for tracking what open-source packages are running in your environment and whether they have been flagged for compromise.
  • If your provider cannot answer both questions clearly and promptly, that tells you something about the state of your supply chain visibility.

For most UK SMBs, the honest answer is that you are dependent on your IT supplier’s hygiene here. Which makes the second story today relevant.

CVE-2026-31431: A Working Linux Exploit, Right Now

Also published this week by Microsoft’s security research team: CVE-2026-31431, named Copy Fail. This is a high-severity Linux vulnerability that enables local privilege escalation to root — across cloud environments and Kubernetes workloads. Microsoft confirms that a working exploit is already in the wild.

Root escalation in cloud and container environments is not a theoretical concern. It means that an attacker who has obtained any foothold in a Linux-based system — through a phishing email, a compromised credential, or a supply chain infection like the TeamPCP campaign above — can escalate from limited access to full system control.

The detail that matters here is the combination: a supply chain campaign that steals credentials, paired with an actively-exploited Linux privilege escalation vulnerability. If TeamPCP-harvested credentials are used to access a cloud environment running unpatched Linux infrastructure, the path to full compromise is short.

If your business uses cloud infrastructure, Linux servers, containerised applications, or has any of these managed by a third party, the question to ask today is: has CVE-2026-31431 been patched in our environment? If your provider cannot confirm that, escalate.

The Patch Tsunami Context

The NCSC published a warning this week — covered by The Register — that AI-assisted vulnerability research is accelerating the discovery of legacy code flaws. Their position, in plain terms: years of accumulated technical debt in software that organisations depend on is about to be surfaced faster than defenders can respond to it.

The NCSC has been making this argument in various forms for some time. The fact that they felt the need to issue a specific warning about it now suggests the acceleration is no longer theoretical. AI-powered fuzzing and static analysis tools are identifying vulnerability classes in widely-deployed software at a rate that patch management processes — already strained at most organisations — cannot comfortably absorb.

For UK SMBs, this matters in a specific way. Most smaller businesses rely on their IT provider to manage patching. Most IT providers are already behind. When the volume of critical patches increases sharply and simultaneously across multiple vendors, the providers who are already stretched will fall further behind. The organisations most exposed are those with the least visibility into what their provider is actually doing.

The answer to a patch tsunami is not to panic. It is to prioritise ruthlessly — and to know, with some specificity, what you are running. Which brings us back to software composition analysis, asset inventories, and the basic question of whether your IT provider can tell you what is in your environment.

Also Worth Noting: GhostSocks

Darktrace has published analysis of GhostSocks, an emerging malware-as-a-service tool marketed on Russian underground forums and increasingly coupled with Lumma Stealer. GhostSocks turns compromised devices into residential proxy nodes — effectively laundering attacker traffic through legitimate-looking IP addresses to evade detection systems that rely on IP reputation.

This is relevant context for the TeamPCP campaign. Credential theft followed by residential proxying is a clean operational pattern: steal credentials, use proxied infrastructure to access accounts without triggering IP-based anomaly detection, operate under the radar. GhostSocks appears to be the infrastructure layer that enables this.

I am noting this as context rather than a primary action item. The direct mitigations here are MFA on all accounts (which removes much of the value of stolen credentials), and behavioural anomaly detection rather than IP-based controls. If your security tooling only alerts on known-bad IP addresses, it will not catch this.

Three Questions to Ask Your IT Provider Today

  1. Are any of the following packages present in our environment or in your tooling: telnyx Python SDK, Trivy, KICS, LiteLLM? What is your process for identifying supply chain compromises in the open-source packages you use?

  2. Has CVE-2026-31431 (Copy Fail) been assessed and patched across our Linux and cloud infrastructure?

  3. What is your process for prioritising patches when multiple critical vulnerabilities are disclosed simultaneously? How do you communicate that prioritisation to us?

If you get vague answers, that is your risk assessment right there.

SourceTitleURL
Palo Alto Unit 42Weaponizing the Protectors: TeamPCP’s Multi-Stage Supply Chain Attack on Security Infrastructurehttps://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/
HexastrikeRinging in Chaos: How TeamPCP Weaponized the Telnyx Python SDKhttps://hexastrike.com/resources/blog/threat-intelligence/ringing-in-chaos-how-teampcp-weaponized-the-telnyx-python-sdk
DarktracePhantom Footprints: Tracking GhostSocks Malwarehttps://www.darktrace.com/blog/phantom-footprints-tracking-ghostsocks-malware
Microsoft Security BlogCVE-2026-31431: Copy Fail vulnerability enables Linux root privilege escalation across cloud environmentshttps://www.microsoft.com/en-us/security/blog/2026/05/01/cve-2026-31431-copy-fail-vulnerability-enables-linux-root-privilege-escalation/
The RegisterBrace for the patch tsunami: AI is unearthing decades of buried code debthttps://www.theregister.com/2026/05/02/ncsc_brace_for_patch_tsunami/

Filed under

  • supply-chain-risk
  • smb-security
  • uk-business
  • vendor-risk
  • incident-response
  • cloud-security
  • msp-security