Analyzing TeamPCP’s Supply Chain Attacks: Checkmarx KICS and elementary-data in CI/CD Credential Theft

Our research examines the April 22 Checkmarx KICS and April 24 elementary-data incidents as part of a broader TeamPCP supply chain campaign. Across both cases, the actor abused trusted CI/CD and release workflows to steal credentials at scale...

dbtr (>=0.3.0 <=0.3.6), dbtr-lt (=0.3.5) +1 more potentially affected by unknown CVE via elementary-data (>=0.15.1 <=0.23.4)

elementary-data PYPI version =0.15.1, =0.3.0, =0.1.2, =0.1.4 Source cves: unknown CVE Source advisory: SNYK:PYTHON-ELEMENTARYDATA-16316110...

Malicious code in elementary-data (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 96dc65f67f54411d3de6b23a33a8f73665e2703d7261b7f1720cdc089c528eea Versions 0.23.3 were compromised. A threat actor exploited a vulnerability in the CI workflows to inject code and establish, likely, a reverse shell in the CI...

MAL-2026-3083 Malicious code in elementary-data (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 96dc65f67f54411d3de6b23a33a8f73665e2703d7261b7f1720cdc089c528eea Versions 0.23.3 were compromised. A threat actor exploited a vulnerability in the CI workflows to inject code and establish, likely, a reverse shell in the CI...

dbtr (>=0.3.0 <=0.3.6), dbtr-lt (=0.3.5) potentially affected by unknown CVE via elementary-data (=0.15.1)

elementary-data PYPI version =0.15.1 is affected by a known vulnerability. The following packages have a transitive dependency on elementary-data and may be impacted: - dbtr =0.3.0, =0.3.6 - dbtr-lt =0.3.5 Source cves: unknown CVE Source advisory: OSV:MAL-2026-3083...