In less than four months TeamPCP has “compromised and injected malicious code into more than 1,000 software packages,” a campaign that has recalibrated how developers, maintainers and defenders think about trust in open-source supply chains.
Scale and scope: packages, downloads and the claimed hit list
Researchers say the group’s spree began with Trivy in February and rapidly spread across npm, PyPI, GitHub and other registries. Palo Alto Networks’ Nathaniel Quist estimates the full collection of compromised or poisoned packages accounts for roughly 500 million weekly downloads combined. TeamPCP’s publicly claimed victim list includes Checkmarx, Bitwarden, LiteLLM, Telnyx, Mercor AI, PyTorch Lightning, AntV, SAP, GitHub, TanStack, UiPath, MistralAI, Microsoft DurableTask, Red Hat and Nx Console.
The group has also posted assets for sale: TeamPCP listed about 4,000 private code repositories on a dark web forum with an asking price of $95,000, and the actor has publicly claimed more than 10,000 victims and about $90,000 in extortions, according to Quist.
How TeamPCP weaponizes CI/CD, dependencies and “speed”
TeamPCP’s model exploits widely adopted automation: continuous integration and continuous delivery (CI/CD) runners that build, test and publish code. Amitai Cohen, head of the attack vector intel team at Wiz, explained that those runners — and the keys and source-access they hold on developer laptops and endpoints — create “incredibly valuable supply-chain targets.” When a compromised repository is pulled by downstream systems that automatically update to the latest version, malware travels with legitimate updates.
Ben Read of Wiz says defenders are faster than early in the campaign — some compromised repositories have been pulled within 15 minutes — but the group still infects new packages almost daily and “validates compromises and captures sensitive data within 24 hours.” The structural tension is stark: developers are taught to install the “latest version” for security and features, and that same habit is the vector TeamPCP exploits.
Techniques, payloads and self-replication
TeamPCP’s payloads have evolved. Researchers note JavaScript and Python payloads, lateral movement from local files to Kubernetes APIs, bundled SDK compromises, and recent credential theft via custom protocols. The crew is also linked to Mini Shai-Hulud, a self-replicating malware strain that infected hundreds of packages across registries during successive sprees. An affiliate published Mini Shai-Hulud’s full source on GitHub and encouraged reuse, turning a single campaign into a template for broader abuse.
The attacks’ operational tempo and variety — combined with recurring infections for some victims who failed to rotate secrets — have made containment and recovery difficult. Cohen warned that failures to properly revoke and rotate secrets mean organizations can fall prey repeatedly; some victims were compromised three times in a month.
Motivation and organization: a single core operator and a desire for chaos
Google attributes TeamPCP’s activity to one core operator and said it traced residential and mobile IP address connections to South Africa, indicating the primary operator was located there during at least some attacks. Kimberly Goody of Google Threat Intelligence Group said, “We don’t believe that there’s an established core group, at least not yet, and that a lot of this has been conducted by an individual.”
Palo Alto Networks reports the core manager uses the “ResoluteXBF” handle and is tracking two additional members — “diencracked” and “Shinigami.” Researchers link TeamPCP to extortion crews, dark web forums and affiliates including Lapsus$, ShinyHunters, Vect, DragonForce, BreachForums and “HasanBroker.” Goody and Quist characterize the actor as motivated more by notoriety and chaos than by maximizing extortion revenue; Quist said the group has even offered financial rewards for the largest software supply-chain attack.
What this means for developers, enterprises, and law enforcement
- Developers and maintainers: Expect increased scrutiny of package provenance and CI/CD credential hygiene. Socket founder Feross Aboukhadijeh warned that AI-driven automation has created situations where “there’s in some cases virtually no human in the loop or any kind of sanity check” on package installs.
- Affected enterprises and procurement teams: Rapid updates to remain patched are now a trade-off. Nathaniel Quist emphasized the responsibility of package publishers to secure credentials and “not provide a jump off point to trigger a supply-chain event.”
- Law enforcement: If TeamPCP really is driven by a single core operator, Google noted, that creates “a rare opportunity to make a lasting impact with a single arrest.”
TeamPCP’s campaign has not introduced a novel technical exploit so much as it has exposed a persistent organizational failure: the open-source trust model remains porous, and rapid development practices combined with automation and AI have widened the attack surface. Defenders report exhaustion; researchers say the pattern of quick infections, wide reach and public theatrics makes this one of the most disruptive software supply-chain crises in recent memory. The pressing question the facts leave is whether developers, registries and law enforcement will move quickly enough — and in coordinated fashion — to harden the very systems the group has turned into a conduit for chaos.
Source: CyberScoop — How software development’s speed obsession enabled TeamPCP’s chaos crusade
