Hunt.io — TeamPCP FIRESCALE Malware Uses GitHub Dead-Drop for C2 Resilience
AI relevance: The malware targets developer machines that build and deploy AI agent systems — harvesting credentials from vector DBs, model APIs, CI/CD pipelines, and cloud AI infrastructure with a resilient 3-tier exfiltration chain designed to survive C2 takedowns.
What happened
Hunt.io published the first complete static analysis of the 13-file Python toolkit TeamPCP deploys as a second-stage payload after the Mini Shai-Hulud npm/PyPI supply chain compromises. The toolkit targets AI/ML developer workstations with a sophisticated credential-harvesting and exfiltration pipeline:
- FIRESCALE dead-drop mechanism. When the hardcoded primary C2 server (83.142.209[.]194) is unreachable, the malware searches all public GitHub commit messages worldwide for a signed alternative server URL, verified against an embedded 4096-bit RSA public key. Prior vendor reports named FIRESCALE but did not document how it works end-to-end.
- Three-tier exfiltration. Data is exfiltrated in sequence: primary C2 → FIRESCALE GitHub dead-drop → the victim's own GitHub repository. Blocking any single tier leaves the other two intact.
- AWS GovCloud explicitly targeted. The AWS credential collector covers all 19 regions including us-gov-east-1 and us-gov-west-1, partitions restricted to U.S. government agencies and defense contractors.
- Anti-sandbox environment gates. The dropper exits silently on non-Linux OS, Russian locale systems, or machines with ≤4 CPU cores. It uses a pip flag to bypass Ubuntu 22.04's externally-managed-environment restriction.
- Broad credential sweep. Beyond standard cloud credentials, the toolkit captures every environment variable, all SSH keys and configs, Docker container credentials, dotenv files across the entire home directory, and shell histories.
- Geopolitical wiper. On Israeli or Iranian machines, a 1-in-6 probability gate triggers maximum-volume audio playback followed by deletion of all accessible files. Russian-locale machines exit before any payload runs.
- Pre-provisioned infrastructure. Three C2 IPs in the 83.142.209[.]0/24 subnet were provisioned with SSH active in November 2025 — four months before the TanStack attack went public — suggesting deliberate infrastructure buildup with dormant periods to accumulate clean history.
Why it matters
The FIRESCALE dead-drop mechanism represents a new class of resilient C2 for supply chain attacks: using public GitHub commits as a distributed command channel makes takedown nearly impossible without platform-level cooperation. AI developers are prime targets — their machines hold API keys for model providers, vector database credentials, agent orchestration configs, and cloud AI infrastructure access. The toolkit's 13-module design runs collectors in parallel, harvesting 90+ credential categories from a single compromised developer workstation.
What to do
- Rotate all credentials on machines that installed trojanized TanStack, Mistral, UiPath, Guardrails AI, or OpenSearch packages during the May 2026 campaign window.
- Audit GitHub commit messages and repository activity for unusual signed URLs or unexpected exfiltration patterns.
- Block outbound DNS and HTTPS traffic to the 83.142.209[.]0/24 subnet at the network perimeter.
- Review npm/PyPI package provenance with supply chain integrity tools (Socket, Sigstore cosign, SLSA attestations) to catch malicious packages before they reach developer machines.