# 116; TeamPCP

Page: https://stenobird.com/podcast/inside-darknet-6682885/116-teampcp
Text version: https://stenobird.com/podcast/inside-darknet-6682885/116-teampcp.md
Podcast: [Inside Darknet](https://stenobird.com/podcast/inside-darknet-6682885)
Published: 2026-05-09T08:25:18+00:00
Episode link: https://podcasters.spotify.com/pod/show/insidedarknet/episodes/116-TeamPCP-e3j496q
Audio file: https://traffic.megaphone.fm/APO2660908709.mp3
Processing state: processed
JSON: https://stenobird.com/v1/public/podcasts/inside-darknet-6682885/episodes/116-teampcp
Duration seconds: 1866

## Resource

An exclusive interview with the leader of Team PCP, the threat actor responsible for compromising over 500,000 machines via supply chain attacks. The discussion reveals how they poisoned trusted security tools and build processes to bypass modern defenses.

## Highlights
- Main idea: Team PCP executes high-scale supply chain attacks by compromising the build and release workflows of trusted security tools
- Technical mechanism: By poisoning GitHub Actions and build pipelines, the group produces malicious but digitally signed releases that bypass security scanners
- Failure mode: Relying on digital signatures as a sole anchor of trust fails when the developer's signing infrastructure itself is compromised
- Practical takeaway: Modern security depends on verifying the integrity of the entire build pipeline, not just the final signed binary
- Targeting strategy: The group explicitly avoids small businesses and non-profits, focusing exclusively on high-value, multi-billion dollar corporations

## Topics

Supply Chain Attacks, Malware Analysis, Software Integrity, Cybercrime Operations, GitHub Actions Exploitation, Digital Signatures, Threat Intelligence, Team PCP

## Chapters
- 1:00 — The Software Supply Chain Analogy: An explanation of how modern development relies on external libraries and tools, creating vulnerabilities similar to a compromised building material supplier.
- 14:50 — Exploiting the Trivy Build Pipeline: Details on how the group used Git exploitation to inject malicious code into the Trivy security scanner's build process.
- 17:00 — The Danger of Signed Malicious Releases: How poisoned binaries pass Microsoft Defender and other security checks because they carry valid developer signatures.
- 19:20 — Geofencing and Anti-Analysis: The use of 'anti-gus' techniques to prevent the malware from executing in specific jurisdictions like Russia or Ukraine.
- 26:10 — Proprietary Malware and Campaign Scale: A look into the group's private toolsets and their success in hitting dozens of companies within the first month of deployment.
- 28:30 — Origins and Evolution of a Threat Actor: The leader discusses their history in the scene, starting from game memory hacking to large-scale enterprise breaches.
- 30:50 — The Group's Manifesto: A closing statement defining their targets and their refusal to attack small businesses or critical infrastructure.

## Actions

- request_transcript: `POST https://stenobird.com/v1/public/podcasts/inside-darknet-6682885/episodes/116-teampcp/transcription-requests` — Idempotently request low-priority transcript generation for this episode.
- read_markdown: `GET https://stenobird.com/podcast/inside-darknet-6682885/116-teampcp.md` — Read the agent-friendly Markdown representation of this episode resource.

A page view does not enqueue transcription. Agents should invoke `request_transcript` explicitly when they need this episode processed.

## Transcript

Full transcripts are not published on public pages unless there is a clear rights basis.