One Hacker Group Is Turning Software Supply Chains Into a Self-Replicating Nightmare

Software supply chain attacks used to be the kind of thing that kept security engineers awake at night precisely because they were so rare and so difficult to detect. The basic premise is grimly elegant: instead of attacking a target directly, you corrupt something they already trust. A library, a plugin, a routine update. The malware rides in on the back of legitimate code, and nobody notices until it's far too late.

For years, incidents like this were treated as exceptional events. SolarWinds. XZ Utils. Each one triggered a wave of industry soul-searching before things quietly returned to normal. That's no longer the pattern.

A group calling itself TeamPCP has conducted over 20 distinct waves of supply chain attacks in just the past few months, embedding malware in more than 500 separate pieces of software according to cybersecurity firm Socket, which tracks this stuff professionally. Counting individual version releases, the number of compromised packages runs well into four figures. This is not exceptional. This is industrial.

The most headline-grabbing victim so far is GitHub itself. A developer at the platform installed a compromised VSCode extension, which gave TeamPCP a foothold inside Microsoft's code hosting giant. The attackers claim to have accessed around 4,000 internal repositories. GitHub confirmed at least 3,800 were affected, though says the compromised content was its own internal code rather than customer data. The group promptly advertised the haul on BreachForums, offering source code for sale with the cheerful caveat that they'd happily send samples to interested buyers to verify authenticity.

GitHub is only the most recent name on a list that already includes OpenAI, data contracting firm Mercor, the European Commission's public website, and a string of software tools including the security scanner Trivy, API utility LiteLLM, data visualisation library AntV, and web app library TanStack. Mistral AI and infrastructure from application security firm Checkmarx have also been hit.

What makes TeamPCP genuinely dangerous, rather than just prolific, is how the operation sustains itself. The group targets environments where developers are building tools used by other developers. Compromising one tool plants malware on the machines of people writing other tools, which then gets used to steal credentials needed to push malicious updates to those tools. It cycles. Ben Read, who heads strategic threat intelligence at cloud security firm Wiz, describes it as a flywheel. Each compromised project produces the access required to compromise the next one.

Recently, much of this appears to have been automated. A worm researchers are calling Mini Shai-Hulud handles the self-spreading element, creating GitHub repositories filled with encrypted stolen credentials, each tagged with the phrase 'A Mini Shai-Hulud Has Appeared' along with various references to the Frank Herbert novel Dune. The name and the references appear to nod toward an earlier supply chain worm called Shai-Hulud that surfaced last September, though there's no confirmed link between that and TeamPCP.

The group's dark web presence includes Matrix-style cascading binary graphics, a reggae fusion soundtrack, and the tagline 'TEAMPCP: The Cats Hijacking Your Supply Chains.' They are clearly not shy about the attention.

TeamPCP started out in late 2025 exploiting cloud misconfigurations and a vulnerability in the Next.js web framework to run a botnet for credential theft and crypto mining. The supply chain pivot came later and has proven far more lucrative. The group is primarily financially motivated, running ransomware campaigns and data extortion operations, though it also sells access and data outright. The GitHub situation was framed not as a ransom demand but as a one-buyer sale, with a lightly veiled threat to leak the data for free if no buyer materialised.

Since April, TeamPCP has also been expanding into ransomware-as-a-service territory, establishing partnerships with BreachForums and DragonForce. It has also dabbled in what looks like geopolitical targeting. A wiper dubbed CanisterWorm hit Kubernetes infrastructure broadly but only detonated its destructive payload against Iranian targets. This week, someone claiming to be the group published the source code for the original Shai-Hulud worm with detailed documentation attached, for reasons that remain unclear.

Nathaniel Quist at Palo Alto Networks' Cortex Cloud team describes the operation as spreading like wildfire, driven by one simple fact: stolen credentials tend to work in far more places than they should. Long-lived tokens and personal access keys sitting in development environments give the group remarkable reach once they're inside anywhere in the chain. His advice is blunt. Rotate your tokens. All of them. Even if you have not used any of the specific compromised packages. GitHub, GitLab, AWS, Azure, GCP, Alibaba, Oracle credentials are all being swept up and exploited.

The practical defences are straightforward but inconvenient. Wiz recommends imposing a delay before applying newly published updates to open source packages, basically letting someone else discover the poisoned version before you install it. In a recent incident, Wiz detected a malicious TeamPCP update and notified customers within minutes. Many had already auto-updated by then.

Socket's Philipp Burckhardt, who has tracked TeamPCP for months, argues that organisations need to treat open source updates the way they'd treat any other untrusted code: scan them for malware before deployment, impose a cooling-off period, and assume that anything published in the last 24 hours could be compromised until proven otherwise.

The old mental model where you install the latest version because newer means safer no longer holds. In the current environment, newer might just mean TeamPCP got there first.