Stenobird

Episode

116; TeamPCP

Podcast
Inside Darknet
Published
May 9, 2026
Duration seconds
1866
Processing state
processed
Canonical source
https://podcasters.spotify.com/pod/show/insidedarknet/episodes/116-TeamPCP-e3j496q
Audio
https://traffic.megaphone.fm/APO2660908709.mp3
JSON
/v1/public/podcasts/inside-darknet-6682885/episodes/116-teampcp
Markdown
/podcast/inside-darknet-6682885/116-teampcp.md

Actions

  • POST https://stenobird.com/v1/public/podcasts/inside-darknet-6682885/episodes/116-teampcp/transcription-requests
    Idempotently request low-priority transcript generation for this episode.
  • GET https://stenobird.com/podcast/inside-darknet-6682885/116-teampcp.md
    Read the agent-friendly Markdown representation of this episode resource.

Summary

An exclusive interview with the leader of Team PCP, the threat actor responsible for compromising over 500,000 machines via supply chain attacks. The discussion reveals how they poisoned trusted security tools and build processes to bypass modern defenses.

Topics

  • Supply Chain Attacks
  • Malware Analysis
  • Software Integrity
  • Cybercrime Operations
  • GitHub Actions Exploitation
  • Digital Signatures
  • Threat Intelligence
  • Team PCP

Highlights

  • Main idea: Team PCP executes high-scale supply chain attacks by compromising the build and release workflows of trusted security tools
  • Technical mechanism: By poisoning GitHub Actions and build pipelines, the group produces malicious but digitally signed releases that bypass security scanners
  • Failure mode: Relying on digital signatures as a sole anchor of trust fails when the developer's signing infrastructure itself is compromised
  • Practical takeaway: Modern security depends on verifying the integrity of the entire build pipeline, not just the final signed binary
  • Targeting strategy: The group explicitly avoids small businesses and non-profits, focusing exclusively on high-value, multi-billion dollar corporations

Chapters

  1. 1:00 The Software Supply Chain Analogy: An explanation of how modern development relies on external libraries and tools, creating vulnerabilities similar to a compromised building material supplier.
  2. 14:50 Exploiting the Trivy Build Pipeline: Details on how the group used Git exploitation to inject malicious code into the Trivy security scanner's build process.
  3. 17:00 The Danger of Signed Malicious Releases: How poisoned binaries pass Microsoft Defender and other security checks because they carry valid developer signatures.
  4. 19:20 Geofencing and Anti-Analysis: The use of 'anti-gus' techniques to prevent the malware from executing in specific jurisdictions like Russia or Ukraine.
  5. 26:10 Proprietary Malware and Campaign Scale: A look into the group's private toolsets and their success in hitting dozens of companies within the first month of deployment.
  6. 28:30 Origins and Evolution of a Threat Actor: The leader discusses their history in the scene, starting from game memory hacking to large-scale enterprise breaches.
  7. 30:50 The Group's Manifesto: A closing statement defining their targets and their refusal to attack small businesses or critical infrastructure.