216.73.217.22

Weaponizing the Protectors: TeamPCPs Multi-Stage Supply Chain Attack on Security Infrastructure

· Published 01/04/2026 02:05 · Modified 01/04/2026 10:24

Export JSON

Essential information

Published
01/04/2026 02:05
Modified
01/04/2026 10:24
Tags
2026-04-01 CVE-2025-55182 canisterworm supply chain attack teampcp wiper
Related entities
1 vulnerabilities (cve), 36 observables, 1 intrusion sets (apt), 1 malware, 6 others

Description

Between late February and March 2026, threat group conducted a highly calculated, escalating sequence of supply chain threats. It systematically compromised widely trusted open-source security tools, including the vulnerability scanners Trivy and KICS and the popular AI gateway LiteLLM. The affected software also includes the official Python SDK of Telnyx.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Vulnerabilities (CVE) (1)

CVE-2025-55182 KEV
10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector
Network
Published
05/12/2025
Modified
29/05/2026
Analyzed

Observables (36)

  • 195.5.171.242
  • 23.142.184.129
  • 63.251.162.11
  • 83.142.209.203
  • 209.34.235.18
  • 212.71.124.188
  • 45.148.10.212
  • 83.142.209.11
  • 41c4f2f37c0b257d1e20fe167f2098da9d2e0a939b09ed3f63bc4fe010f8365c
  • bef7e2c5a92c4fa4af17791efc1e46311c0f304796f1172fce192f5efc40f5d7
  • 0c0d206d5e68c0cf64d57ffa8bc5b1dad54f2dda52f24e96e02e237498cb9c3a
  • f7084b0229dce605ccc5506b14acd4d954a496da4b6134a294844ca8d601970d
  • 6328a34b26a63423b555a61f89a6a0525a534e9c88584c815d937910f1ddd538
  • 0880819ef821cff918960a39c1c1aada55a5593c61c608ea9215da858a86e349
  • e4edd126e139493d2721d50c3a8c49d3a23ad7766d0b90bc45979ba675f35fea
  • cd08115806662469bbedec4b03f8427b97c8a4b3bc1442dc18b72b4e19395fe3
  • f398f06eefcd3558c38820a397e3193856e4e6e7c67f81ecc8e533275284b152
  • ecce7ae5ffc9f57bb70efd3ea136a2923f701334a8cd47d4fbf01a97fd22859c
  • 61ff00a81b19624adaad425b9129ba2f312f4ab76fb5ddc2c628a5037d31a4ba
  • 887e1f5b5b50162a60bd03b66269e0ae545d0aef0583c1c5b00972152ad7e073
  • e87a55d3ba1c47e84207678b88cacb631a32d0cb3798610e7ef2d15307303c49
  • 7df6cef7ab9aae2ea08f2f872f6456b5d51d896ddda907a238cd6668ccdc4bb7
  • d5edd791021b966fb6af0ace09319ace7b97d6642363ef27b3d5056ca654a94c
  • e64e152afe2c722d750f10259626f357cdea40420c5eedae37969fbf13abbecf
  • d8caf4581c9f0000c7568d78fb7d2e595ab36134e2346297d78615942cbbd727
  • 0c6a3555c4eb49f240d7e0e3edbfbb3c900f123033b4f6e99ac3724b9b76278f
  • 7b5cc85e82249b0c452c66563edca498ce9d0c70badef04ab2c52acef4d629ca
  • 822dd269ec10459572dfaaefe163dae693c344249a0161953f0d5cdd110bd2a0
  • 5e2ba7c4c53fa6e0cef58011acdd50682cf83fb7b989712d2fcf1b5173bad956
  • e9b1e069efc778c1e77fb3f5fcc3bd3580bbc810604cbf4347897ddb4b8c163b
  • 1e559c51f19972e96fcc5a92d710732159cdae72f407864607a513b20729decb
  • 30015dd1e2cf4dbd49fff9ddef2ad4622da2e60e5c0b6228595325532e948f14
  • c37c0ae9641d2e5329fcdee847a756bf1140fdb7f0b7c78a40fdc39055e7d926
  • 18a24f83e807479438dcab7a1804c51a00dafc1d526698a66e0640d1e5dd671a
  • 7321caa303fe96ded0492c747d2f353c4f7d17185656fe292ab0a59e2bd0b8d9
  • e6310d8a003d7ac101a6b1cd39ff6c6a88ee454b767c1bdce143e04bc1113243

Intrusion sets (APT) (1)

  • TeamPCP
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 20/03/2026 22:18 · Modified 20/03/2026 22:18

Malware (1)

  • CanisterWorm
    Family
    Published 22/04/2026 16:22 · Modified 22/04/2026 16:22

Others (6)

  • souls-entire-defined-routes.trycloudflare.com
  • plug-tab-protective-relay.trycloudflare.com
  • tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io
  • create-sensitivity-grad-sequence.trycloudflare.com
  • championships-peoples-point-cassette.trycloudflare.com
  • investigation-launches-hearings-copying.trycloudflare.com

External references