← BACK TO FEED
supply chain attacksTeamPCPopen source securityGitHub breachmalware

One Hacker Group Is Turning Software Supply Chain Attacks Into a Production Line

A cybercriminal group called TeamPCP has carried out an unprecedented wave of software supply chain attacks, embedding malware in over 500 open source tools to infiltrate hundreds of companies, including GitHub, Anthropic, and the European Commission's public website. The group exploits a self-perpetuating cycle — compromising developer tools to steal credentials, then using those credentials to poison more tools — and has recently automated attacks using a self-spreading worm called Mini Shai-Hulud. Security experts warn that organisations must practice better credential hygiene, carefully vet software updates, and avoid automatically installing the latest versions of open source packages to protect themselves.

Supply chain attacks used to be the kind of thing that kept security researchers up at night precisely because they were rare. Hiding malicious code inside legitimate software is an elegant, nasty technique, and the fact that it didn't happen constantly was the only thing stopping it from being catastrophic. That calculation is now out the window.

A group called TeamPCP has spent the last several months running what can only be described as a supply chain attack factory. According to Socket, a firm that tracks software supply chain threats, the group has executed 20 distinct waves of attacks in just a few months, injecting malware into more than 500 separate pieces of software. When you count all the individual versions of those packages they've tampered with, the number tips well past a thousand.

The latest, and arguably most headline-grabbing, victim is GitHub itself. A developer at the Microsoft-owned platform installed a compromised VSCode extension, which gave TeamPCP a foothold. The group claims to have accessed around 4,000 internal repositories. GitHub confirmed at least 3,800, and says the stolen code appears to be internal GitHub code rather than customer data. TeamPCP posted on BreachForums advertising the haul for sale, dropping what reads like a retirement joke as a parting threat: if no buyer materialises, they'll leak it for free.

GitHub is not the start of this story, just the loudest chapter so far. Previous victims include Anthropic, whose Claude source code was reportedly compromised, OpenAI, where two employee devices were hit, the European Commission's public website, the data contracting firm Mercor, and quite a few others. Ben Read, who leads strategic threat intelligence at Wiz, puts it plainly: each of these incidents is a serious breach for the organisation it hits, even if they're coming so fast that the previous one barely registers before the next one lands.

The mechanics of how TeamPCP operates are worth understanding because they're genuinely clever in a grim sort of way. The group finds its way into a network where an open source developer tool is being maintained, poisons the tool with malware, and then waits for other developers to install it. Those developers often turn out to be maintaining their own tools. The malware steals credentials, the group publishes corrupted versions of the next tool, and the cycle continues. Read calls it a flywheel of supply chain compromises. It is self-perpetuating almost by design.

More recently, TeamPCP appears to have automated much of this process with a self-spreading worm researchers are calling Mini Shai-Hulud, after the Dune sandworm. The worm creates GitHub repositories containing encrypted stolen credentials, each helpfully labelled with the phrase "A Mini Shai-Hulud Has Appeared" alongside other Dune references. Whether this is art or just trolling is left as an exercise for the reader. There was an earlier, unrelated worm called Shai-Hulud that appeared last September, though no evidence links TeamPCP to that one.

The group's dark web presence, featuring Matrix-style cascading binary and a reggae fusion soundtrack, makes it clear these people enjoy the attention. Their tagline: "TEAMPCP: The Cats Hijacking Your Supply Chains." Subtle.

TeamPCP started out in late 2025 exploiting cloud misconfigurations and a vulnerability in Next.js, building botnets for credential theft and crypto mining. The pivot to supply chain attacks came gradually, but once they found the flywheel, they ran with it hard. In March the group embedded an infostealer in the open source security scanner Trivy, then used credentials stolen from that attack to compromise versions of LiteLLM on PyPI. They also hit Checkmarx, pgserve, TanStack, and Mistral AI.

Nathaniel Quist, who manages the Cortex Cloud intelligence team at Palo Alto Networks, says the common thread running through all of it is long-lived credentials sitting in developer environments. Static tokens and personal access tokens for GitHub and GitLab are gold dust for this group. His advice is blunt: rotate your tokens, even if you haven't installed any of the affected packages. AWS, Azure, GCP, Alibaba, Oracle credentials are all in scope.

The group is financially motivated and operates across ransom, data extortion, and straightforward data sales. In April it reportedly moved toward a ransomware-as-a-service model by partnering with BreachForums and DragonForce. There's also a geopolitical wrinkle: a wiper dubbed CanisterWorm targeted Kubernetes infrastructure broadly but activated its destructive payload only against Iranian systems. This week, someone claiming to be TeamPCP released the original Shai-Hulud worm source code with full documentation. Why? Not obvious.

As for what defenders can actually do: Wiz's Read recommends treating new software updates with some suspicion. In one recent incident, Wiz detected a malicious TeamPCP update within minutes and alerted customers, but a significant chunk of users had auto-updates enabled and had already pulled it down before the warning landed. Sitting on updates for a brief cooling-off period, letting others discover the tripwires first, is not glamorous advice but it's practical.

Socket's Philipp Burckhardt, who has tracked TeamPCP for months, puts the wider challenge clearly. Open source users need to actively scan updates for malicious code before deploying them, not just trust the update channel. The moment compromised code hits your machine, the damage is already done.

The uncomfortable truth here is that the open source ecosystem runs on trust, and TeamPCP has identified trust as the vulnerability. There's no easy patch for that.