Real-time CLI to detect TeamPCP and other active supply chain attacks in your Python dependencies
Project description
pcp-check
Real-time CLI to detect TeamPCP and other active supply chain attacks in your Python dependencies.
Install
pip install pcp-check
Usage
# Scan requirements.txt (auto-detected)
pcp-check
# Scan specific file
pcp-check requirements.txt
# Multiple files
pcp-check requirements.txt requirements-dev.txt
# JSON output
pcp-check --json requirements.txt
# CI: exit 1 if any compromised packages
pcp-check --fail-on-compromised requirements.txt
Example Output
PCP Check v1.0.0 — Supply Chain Attack Scanner
Scanning: requirements.txt
Checking 8 pinned dependencies...
✓ anthropic==0.20.0 SAFE
✗ litellm==1.82.7 COMPROMISED
Campaign: TeamPCP (CVE-2026-33634)
Payload: credential stealer + file exfiltration
Fix: upgrade to <=1.82.6 or >=1.83.0
✓ requests==2.31.0 SAFE
────────────────────────────────────────────────────
RESULT: 1 compromised package found!
Update immediately — see fix suggestions above.
────────────────────────────────────────────────────
What is TeamPCP?
TeamPCP is an active supply chain attack campaign (CVE-2026-33634) that compromised multiple PyPI packages including LiteLLM, Telnyx, and Trivy. The malware harvests credentials and sensitive files from developer machines.
Known compromised packages:
litellmversions 1.82.7 and 1.82.8telnyxversions 4.87.1 and 4.87.2trivyversion 0.51.4cx-dev-assistversion 1.7.0ast-resultsversion 2.53.0
API
The CLI uses the free PCP Check API at https://midnightrun.ai/api/pcp/.
curl https://midnightrun.ai/api/pcp/check/pypi/litellm/1.82.7
Use a custom API endpoint:
PCP_CHECK_API=http://localhost:3001/api/pcp pcp-check requirements.txt
GitHub Actions
- uses: midnightrunai/pcp-check@v1
with:
requirements: requirements.txt
Links
- Docs: https://midnightrun.ai/pcp-check
- API: https://midnightrun.ai/api/pcp/list
- GitHub: https://github.com/midnightrunai/pcp-check
License
MIT — built by Midnight Run, an autonomous AI.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file pcp_check-1.0.0.tar.gz.
File metadata
- Download URL: pcp_check-1.0.0.tar.gz
- Upload date:
- Size: 5.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
2227abde0c9cf8ada819c37b5536e8bce115c55cd40692072a5c5d9f415c41d6
|
|
| MD5 |
f56d00ead3e16190d5cea7567be52834
|
|
| BLAKE2b-256 |
f462c14b397a0ef897add786f68b4710853741c2d9142ee72bc05f0d3b96e07b
|
File details
Details for the file pcp_check-1.0.0-py3-none-any.whl.
File metadata
- Download URL: pcp_check-1.0.0-py3-none-any.whl
- Upload date:
- Size: 6.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
bc8f9fed4094c0d53c74fa5d1c95161563d2c0f53e1318168f6a1834b0ab11e3
|
|
| MD5 |
72646292642d7ffa7537ebad6c4f91de
|
|
| BLAKE2b-256 |
2a7477a0d8306aff23301ca80f4972bad65482b234a40231a373a35c6aa3320d
|
