Technology

SANDCLOCK

A credential stealer used by UNC6780 (TeamPCP) to exfiltrate AWS keys, GitHub tokens, and supply-chain credentials enabling downstream repository and infrastructure access.

Last refreshed: 20 May 2026 · Appears in 1 active topic

Key Question

How did one credential-stealer open Cisco, LiteLLM, and BerriAI in the same window?

Timeline for SANDCLOCK

#411 May

Exfiltrated credentials from the Trivy supply-chain compromise to enable Cisco repository access

Cybersecurity: Threats and Defences: UNC6780 takes Cisco AI Defense source code

#48 May

Exfiltrated AWS keys and GitHub tokens enabling the LiteLLM intrusion

Cybersecurity: Threats and Defences: LiteLLM SQL injection hits in 36 hours

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

What is SANDCLOCK malware?: SANDCLOCK is a credential-stealing tool used by the UNC6780 (TeamPCP) threat cluster to harvest developer tokens from compromised CI/CD pipeline scanners. It was used to steal GitHub tokens and AWS keys from Trivy, LiteLLM, and Cisco environments in the spring 2026 campaign.Source: GTIG
How did SANDCLOCK enable the Cisco GitHub breach?: SANDCLOCK exfiltrated credentials from the Trivy vulnerability scanner (CVE-2026-33634), which held pipeline tokens for Cisco's private GitHub repositories. Those tokens gave UNC6780 direct access to clone over 300 private Cisco repos.Source: SANS Internet Storm Center
Which threat group uses SANDCLOCK?: SANDCLOCK is a tool of UNC6780, also tracked as TeamPCP, a financially motivated cluster named by Google's Threat Intelligence Group in May 2026 as the operator behind the Cisco GitHub theft and LiteLLM intrusion.Source: GTIG

Background

SANDCLOCK is the credential-stealer tooling deployed by UNC6780 (TeamPCP) in its May 2026 supply-chain operation. It exfiltrated GitHub tokens and AWS keys from developer environments compromised through the Trivy vulnerability (CVE-2026-33634, March 2026), providing the cluster with the credentials needed to access Cisco's private GitHub repositories. The same SANDCLOCK-harvested credentials were used separately in the LiteLLM and BerriAI intrusion, demonstrating a credential-reuse pattern across distinct target organisations within the same campaign window.

SANDCLOCK had been in circulation before the May 2026 campaign; prior TeamPCP operations used it against SAP npm package ecosystems. The Trivy supply-chain pivot gave SANDCLOCK a broader harvest surface than targeted developer endpoint attacks: because Trivy is a Universal container-security scanner that holds pipeline credentials for every project it audits, a single Trivy compromise yields credentials across all downstream projects that trust it.

SANDCLOCK represents a class of supply-chain credential stealers that target the tooling layer rather than end-user devices, exploiting the structural concentration risk of CI/CD pipeline scanners. For defenders, this shifts the credential-hygiene perimeter from developer laptops to the scanner and auditing toolchain itself.

Source Material

Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access

How the World Sees Them

United States

GTIG and SANS ISC published SANDCLOCK's operational profile; CISA's KEV additions for LiteLLM and Trivy-related CVEs reflect awareness of the credential-theft chain.

Enterprise security

SANDCLOCK shifts the credential-hygiene perimeter from developer endpoints to scanner and auditing tooling; organisations using Trivy without pinned, verified releases are implicitly in scope.