Supply chain ransomware now has a flagship operator: TeamPCP has run at least three waves of automated supply-chain poisoning since September 14, 2025, using stolen developer credentials to breach GitHub (roughly 3,800 internal repositories), Checkmarx, CISCO, and the European Commission. The group now converts that access into revenue through a formal ransomware partnership with Vect and a data-sales pipeline running through LAPSUS$, while its release of the Shai-Hulud worm source code has already spawned copycat campaigns. The result is a self-feeding operation aimed at developer toolchains, where a single stolen maintainer token cascades into hundreds of poisoned dependencies within half an hour.
- HIGH We assess with high confidence that TeamPCP operates a repeatable supply-chain compromise playbook—exploiting GitHub Actions misconfigurations (pull_request_target) to steal npm/PyPI tokens and propagate worm-like poisoning across hundreds of packages—based on three documented campaign waves (Sep 2025, Nov 2025, Apr–May 2026) corroborated by SentinelLabs, Mandiant, Socket, and multiple vendor post-mortems.
- HIGH We assess with high confidence that TeamPCP’s May 2026 open-sourcing of the Shai-Hulud worm code has already enabled copycat supply-chain attacks (e.g., the @antv poisoning of 639 versions on May 19), significantly expanding the threat surface beyond TeamPCP’s own operations.
- MODERATE We assess with moderate confidence that TeamPCP functions as an initial-access supplier to multiple monetization partners—Vect ransomware for encryption/extortion and LAPSUS$ for data brokerage—based on the announced Vect partnership, the GitHub data transfer to LAPSUS$ at $95,000, and the Checkmarx/Mercor incidents.
- MODERATE We assess with moderate confidence that the Vect–TeamPCP–BreachForums affiliate model, which offers every forum member a ransomware affiliation key plus supply-chain-derived access, represents a novel convergence of mass-market RaaS distribution with supply-chain initial access, though actual victim counts remain low (two confirmed on Vect’s leak site).
- LOW We assess with low confidence that TeamPCP’s internal cohesion is degrading, as evidenced by the PCPJack rival worm actively evicting TeamPCP tooling from compromised hosts and SentinelLabs’ assessment that PCPJack may be a former member—a dynamic that could fragment operations or accelerate tool proliferation.
Background
TeamPCP emerged in late 2025 as a supply-chain attack specialist targeting open-source ecosystems (npm, PyPI) and developer security tools (Trivy, Checkmarx KICS). By exploiting GitHub Actions misconfigurations, the group developed a worm (Shai-Hulud) capable of autonomously propagating through stolen npm tokens, compromising hundreds of packages within minutes. Multiple security vendors (SentinelLabs, Mandiant, Socket, Wiz, Snyk) have independently documented these campaigns.
The Shai-Hulud worm compromised 1,000+ npm packages across three escalating waves
TeamPCP built the first large-scale automated supply-chain worm for the npm, and each wave defeated the defenses raised against the previous one. A long technical post by a user named Threatbook on the pediy forum, summarizing Threatbook’s own research alongside SentinelLabs and vendor post-mortems, dates the first infection to 17:58 UTC on September 14, 2025, when the npm package rxnt-authentication, published by medical software vendor RXNT, was poisoned. The worm spread on its own: it harvested npm tokens, then republished other packages owned by each victim, reaching approximately 187 packages within three days, per eSentire (translated from Chinese).
The second wave on November 24, 2025 (Shai-Hulud 2.0) stole publishing tokens from @zapier, @asyncapi, @postman, and @posthog through compromised maintainer accounts and stolen tokens, per eSentire, which reports 492 packages compromised in that wave, and added a wiper that deletes the victim’s home directory when no token can be stolen. The Threatbook summary describes more than 800 malicious versions across those packages, a figure not independently confirmed in primary reporting. After this wave, most affected vendors migrated to OIDC short-lived tokens. The third wave (Mini Shai-Hulud, April to May 2026) defeated that migration: SAP’s @cap-js fell on April 29 through a loose OIDC config with no branch restriction, and @TanStack fell on May 11 when attackers poisoned the GitHub Actions cache. The Threatbook summary reports a May 19 peak of 639 malicious versions across 323 packages published in 22 minutes; this figure is not independently confirmed in primary reporting. That Threatbook summary matters because it documents a worm whose iteration outruns each mitigation in turn, which is the core of why this actor scales.
A single Trivy misconfiguration triggered a cascade across Checkmarx, LiteLLM, and 1,000+ SaaS environments
The entire campaign chain traces to one compromised account, not a zero-day. A detailed Russian-language writeup by a user named Nowheretogo on the rehub forum, relaying Mandiant and Aikido Security analysis, states plainly that what sat at the root of everything was not a zero-day vulnerability but the compromise of a single account (translated from Russian). In February 2026, a bot named hackerbot-claw opened a pull request against Aqua Security’s Trivy repository, exploiting a pull_request_target workflow that an automated scanner had flagged in November 2025 and that Aqua’s developers ignored. The PR extracted the Personal Access Token of the aqua-bot service account, which held org-wide repo permissions.
By February 28, 2026, attackers had deleted all 178 Trivy releases and briefly privatized the repository. On March 19, 2026, they force-pushed 76 of 77 tags in trivy-action to malicious commits while preserving the original author names and timestamps to avoid notification triggers. The same writeup notes force-pushed tags produce no CreateEvent or DeleteEvent in GitHub’s public API, rendering the attack invisible to monitoring keyed on those events (View on Flare). For defenders, this is the operational lesson: tag-redirection bypasses commit-history alerting, so CI/CD provenance pinning to immutable hashes is the only durable control.
The LiteLLM compromise shows the downstream blast radius. A post by a user named beiank on the t00ls forum, summarizing public reporting, recorded malicious LiteLLM PyPI versions 1.82.7 and 1.82.8 live for roughly 40 minutes on March 24, 2026, citing Wiz Research data that LiteLLM exists in about 36% of cloud environments (translated from Chinese). That 40-minute window matters because automated CI/CD pipelines pull the latest version without human review, so a brief exposure infects environments at scale. Mandiant’s estimate, relayed in the rehub writeup, put compromised SaaS environments above 1,000 and rising. AI recruiting firm Mercor confirmed an incident tied to the LiteLLM compromise, after which LAPSUS$ listed Mercor on its leak site claiming 4TB of stolen data (View on Flare).
The Vect and BreachForums partnership turns supply-chain access into mass-market extortion
On March 25, 2026, the Vect ransomware operation announced a partnership with both TeamPCP and BreachForums that, on paper, hands a ransomware affiliate key to every forum member. The announcement is explicit about the supply-chain pipeline feeding it.
The mass-enrollment model aimed to convert all roughly 300,000 BreachForums members into affiliates, which Dataminr described as an attempt no prior ransomware operation had made. A user named weaver on the rehub forum, relaying that Dataminr brief, characterized the result as turning ransomware distribution into a mass service with ready-made infrastructure and a stream of already-compromised access (translated from Russian). That framing matters because it collapses the traditional gap between initial-access broker and ransomware operator into a single distribution channel (View on Flare).
The execution side, however, lags the ambition. A post by a user named CryptoCracker on the wsforum forum, summarizing Check Point Research, found that behind the professional facade, Vect ransomware is not a technically sophisticated service, and that a flaw permanently destroys any file larger than 131,072 bytes because three of four per-chunk nonces are generated, used, and discarded (View on Flare). The gap shows in victim counts: the Vect leak site lists victims sourced from TeamPCP supply-chain access, and per Check Point Research only two victims appeared on the leak site as of April 28, 2026, though other sources report 25 total victims.
GitHub’s 3,800 stolen repos moved from TeamPCP to LAPSUS$ in 48 hours at $95,000
The clearest evidence of TeamPCP operating as an access supplier rather than a monetizer is the GitHub breach. A post by a user named 小龙 on the 77169 forum reconstructed the timeline: on May 19, 2026, TeamPCP listed roughly 4,000 GitHub private repositories on BreachForums starting at $50,000. GitHub confirmed on May 20 that roughly 3,800 internal repositories were accessed after an employee installed a poisoned VS Code extension.
By May 21, TeamPCP had pulled the BreachForums listing and transferred the data to LAPSUS$, which re-listed it at $95,000, per dark-web researcher Matthew Maynard cited in the same post. Independent researcher Kevin Beaumont is reported in the same forum summary to have confirmed via Mastodon that LAPSUS$ published file trees and sample data on LimeWire, describing the file tree as real and long; this Mastodon post is not independently confirmed in primary reporting (translated from Chinese). The price doubling within 48 hours signals the perceived value of GitHub’s internal cloud credentials, CI/CD keys, and service URLs, and confirms the division-of-labor model. A separate pediy post by an Editor account noted the same VS Code extension as the entry point and quoted TeamPCP claiming the breach was not extortion, only a sale (translated from Chinese) (View on Flare).
Open-sourced worm code and a BreachForums competition have already spawned copycats
The release of the Shai-Hulud source code converted a single group’s weapon into a shared framework, and a copycat campaign followed within days. On May 13, TeamPCP posted a Supply Chain Competition on BreachForums recruiting access brokers, writing that the group would purchase all meaningful access from you harvested from your campaigns / give you a large percentage of the ransoms/sales through our monetization network (View on Flare). That post matters because it gamifies access generation, decentralizing supply-chain attacks beyond the group’s own operators.
The May 19 @antv poisoning shows the effect. A second Threatbook post on pediy attributed the 639-version compromise to a likely imitator rather than TeamPCP itself, assessing that because TeamPCP had open-sourced the code and organized the competition, attribution on code features alone cannot confirm TeamPCP carried it out (translated from Chinese) (View on Flare). The Miasma variant extends the trend. A post by a user named BOOX on the probiv forum, citing SafeDep and Socket, identified Miasma as a Shai-Hulud derivative published through compromised developer accounts, linked to Red Hat npm packages and dozens of Microsoft GitHub repositories, with 474 compromised package publications counted so far (translated from Russian). Miasma requires no C2 server, pulls commands from public GitHub commits, and can poison AI developer tools including Claude, Gemini, Cursor, and Copilot (View on Flare).
Outlook: OIDC bypasses, AI-tool poisoning, and signs of fragmentation
TeamPCP iterates faster than the mitigations raised against it, and the next variants are already poisoning AI coding assistants. Mini Shai-Hulud bypassed the OIDC publishing defenses adopted after November 2025, and Miasma adds SSH and AWS Systems Manager lateral movement plus a 72-hour wiper that fires when a stolen GitHub token is revoked. One countervailing signal: a post by a user named User4a on the XSS.is forum, relaying SentinelLabs, described a rival worm called PCPJack that targets the same infrastructure (Docker, Kubernetes, Redis, MongoDB, RayML) while actively deleting TeamPCP’s persistence artifacts, with researchers assessing it may be a former operator deeply familiar with the group’s toolset (translated from Russian) (View on Flare). That eviction behavior suggests internal friction that could fragment operations or, more likely, accelerate tool proliferation.
Four actions follow directly from this evidence. Audit every GitHub Actions workflow for pull_request_target triggers that checkout PR code with repository secrets, because that one misconfiguration enabled the Trivy cascade and persists in the worm’s third wave. Migrate npm and PyPI publishing to OIDC with strict branch and workflow pinning, given that Mini Shai-Hulud already defeats loose OIDC configs that omit a publishing branch. Enforce VS Code and OpenVSX extension allowlists on developer workstations, since a single poisoned extension gave attackers 3,800 GitHub repositories. Finally, hunt CI/CD and developer environments for DNS or HTTPS connections to t.m-kosche.com and for GitHub repositories matching the naming patterns sayyadina-stillsuit-* and atreides-ornithopter-*, and rotate every npm token, GitHub PAT, AWS key, and SSH key exposed in any pipeline that pulled Trivy, LiteLLM, or @antv packages during the documented compromise windows.
Flare monitors supply-chain credential exposure, dark-web forum listings, and ransomware leak sites for mentions of your organization and developer assets. To see what is already circulating, visit flare.io.
Threat-Actor Activity
Posting cadence over the last 12 months, in UTC. The local timezone is inferred from the actor’s peak posting window — an estimate, not a fact.
| 0 | 3 | 6 | 9 | 12 | 15 | 18 | 21 | |||||||||||||||||
| Mon | ||||||||||||||||||||||||
| Tue | ||||||||||||||||||||||||
| Wed | ||||||||||||||||||||||||
| Thu | ||||||||||||||||||||||||
| Fri | ||||||||||||||||||||||||
| Sat | ||||||||||||||||||||||||
| Sun |
- 2026-03-20 → 2026-03-26: 30 posts in one week
- 2026-05-13 → 2026-05-19: 15 posts in one week
- 2026-03-11 → 2026-03-14: 8 posts in one week
| 2025-11 | 1 | |
| 2026-01 | 1 | |
| 2026-02 | 11 | |
| 2026-03 | 39 | |
| 2026-04 | 8 | |
| 2026-05 | 17 |
Key Events
| 2025-09-14 | Shai-Hulud Wave 1: RXNT npm package compromised, 500+ packages infected within 3 days via stolen npm tokens |
| 2025-11-01 | Automated scanner flags dangerous pull_request_target configuration in Trivy’s GitHub Actions workflow; Aqua Security ignores the warning |
| 2025-11-24 | Shai-Hulud 2.0: @zapier, @asyncapi, @postman, @posthog npm packages compromised via pull_request_target exploitation; 800+ malicious versions published |
| 2025-12-01 | Vect Ransomware first appears on a Russian-language cybercrime forum as a RaaS affiliate program |
| 2026-02-01 | Bot ‘hackerbot-claw’ submits malicious PR to Trivy repository, exploiting pull_request_target to extract aqua-bot PAT |
| 2026-03-19 | TeamPCP’s second attack on Trivy: all 178 releases deleted, repo briefly made private; cascade begins into npm, LiteLLM, Checkmarx, Telnyx |
| 2026-03-22 | TeamPCP compromises Aqua Security’s internal GitHub organization using stolen aqua-bot credentials |
| 2026-03-25 | Vect Ransomware announces partnership with TeamPCP and BreachForums; offers affiliate keys to all 300K+ forum members |
| 2026-03-27 | LiteLLM PyPI supply-chain attack: malicious versions 1.82.7 and 1.82.8 published for ~40 minutes; affects 36% of cloud environments per Wiz Research |
| 2026-04-07 | Mercor confirms security incident linked to LiteLLM compromise; LAPSUS$ lists Mercor with 4TB claimed stolen data |
| 2026-04-29 | Mini Shai-Hulud Wave 3 begins: SAP/@cap-js compromised, 4 malicious npm packages published bypassing OIDC defenses |
| 2026-05-07 | SentinelLabs publishes report on PCPJack worm that evicts TeamPCP from compromised cloud hosts; XSS forum discusses findings |
| 2026-05-11 | @TanStack compromised: 42 packages produce 84 malicious versions via pnpm store cache poisoning |
| 2026-05-13 | TeamPCP posts ‘Supply Chain Competition’ on BreachForums, offering to buy harvested access and share ransomware proceeds |
| 2026-05-15 | TeamPCP open-sources Shai-Hulud worm code on GitHub |
| 2026-05-19 | TeamPCP lists ~4,000 GitHub private repos on BreachForums for $50,000; copycat @antv attack poisons 323 packages (639 versions) using open-sourced Shai-Hulud code |
| 2026-05-20 | GitHub confirms ~3,800 internal repos stolen via malicious VS Code extension; TeamPCP pulls BreachForums listing, transfers data to LAPSUS$ at $95,000 |
| 2026-05-21 | LAPSUS$ publishes GitHub file trees and sample data on LimeWire; Kevin Beaumont confirms authenticity; TeamPCP mocks GitHub on X |
| 2026-06-02 | Miasma worm (Shai-Hulud variant) linked to Red Hat npm package compromise and attacks on Microsoft GitHub repositories |
| 2026-06-11 | Miasma source code published on GitHub via compromised developer accounts; SafeDep analysis confirms no C2 needed (uses GitHub commits for commands), supports AI-tool poisoning |
Targeting and Victimology
| Target | Mentions | First seen |
|---|---|---|
| LiteLLM | 3 mentions | 2026-04-07 |
| npm ecosystem | 2 mentions | 2026-05-22 |
| npm | 2 mentions | 2026-05-07 |
| PyPI | 2 mentions | 2026-05-07 |
| GitHub | 2 mentions | 2026-05-20 |
| Mercor | 2 mentions | 2026-04-07 |
| Trivy | 2 mentions | 2026-04-28 |
| Checkmarx | 2 mentions | 2026-04-28 |
| Telnyx | 2 mentions | 2026-04-28 |
| BreachForums members | 1 mention | 2026-03-25 |
| supply chain targets | 1 mention | 2026-03-25 |
| access brokers | 1 mention | 2026-05-13 |
Intelligence Gaps
What the collected evidence does not establish:
- The true number of organizations that ingested poisoned packages during the 40-minute LiteLLM window and subsequent npm campaigns remains unquantified beyond Mandiant’s 1,000+ SaaS estimate.
- No independent confirmation exists that Vect ransomware has been successfully deployed against companies compromised via TeamPCP supply-chain access; the leak site lists only two victims.
- The relationship between TeamPCP and LAPSUS$ is unclear—whether it is a formal partnership, a one-time data sale, or an ongoing broker arrangement.
- Attribution of the initial Trivy hackerbot-claw PR to TeamPCP vs. a separate actor whose access TeamPCP later acquired is unresolved.
- The identity and geographic location of TeamPCP operators remain unknown; no law-enforcement attribution has been published.
Indicators of Compromise & MITRE ATT&CK TTPs
The indicators below were extracted from the dark-web source material analyzed in this report and are presented in defanged form for safe handling. MITRE ATT&CK technique IDs are validated against the official Enterprise catalog.
Tracked entities
- Vect (malware)
- TeamPCP (threat-actor)
- PCPJack (malware)
- Shai-Hulud (malware)
- Miasma (malware)
- LAPSUS$ (threat-actor)
- Trivy (tool)
- LiteLLM (tool)
- TruffleHog (tool)
- Checkmarx (identity)
- GitHub (identity)
- Mercor (identity)
Indicators of Compromise
| Type | Indicator | Source |
|---|---|---|
| Domain | breach5yz2b5lepmq4gaqwcon3jippw3bislhvvdavem5git55sy2nid[.]onion |
— |
| Domain | vectordntlcrlmfkcm4alni734tbcrnd5lk44v6sp4lqal6noqrgnbyd[.]onion |
— |
| Domain | t.m-kosche[.]com |
— |
MITRE ATT&CK Coverage
| Tactic | Techniques observed |
|---|---|
| Initial Access | T1078 Valid Accounts; T1190 Exploit Public-Facing Application |
| Execution | T1059.001 PowerShell |
| Persistence | T1078 Valid Accounts |
| Privilege Escalation | T1078 Valid Accounts |
| Credential Access | T1552.001 Credentials In Files |
| Lateral Movement | T1210 Exploitation of Remote Services |
| Exfiltration | T1567.002 Exfiltration to Cloud Storage |
| Impact | T1496 Resource Hijacking |
| Stealth | T1078 Valid Accounts; T1027 Obfuscated Files or Information |
References and Related Reporting
Open-source reporting consulted while corroborating this assessment:
- TeamPCP Partners With Ransomware Group Vect to Target Open S…
- Threat Alert: TeamPCP, An Emerging Force in the Cloud Native and Ransomware Landscape
- TeamPCP Explores Ways to Exploit Stolen Supply Chain Secrets – Infosecurity Magazine
- TeamPCP’s attack spree slows, but threat escalates with ransomware pivot – Help Net Security
- Mini Shai-Hulud: Frequently asked questions about the TeamPCP npm and PyPI supply chain campaign – Security Boulevard
- Weaponizing the Protectors: TeamPCP’s Multi-Stage Supply Chain Attack on Security Infrastructure
- TeamPCP-linked VECT 2.0 ransomware unintentionally destroys files larger than 128 KB | news | SC Media
- Cyber Intel Brief: Vect, BreachForums, and TeamPCP Converge
- Your Supply Chain Breach Is Someone Else’s Payday
- Analyzing TeamPCP’s Supply Chain Attacks: Checkmarx KICS and elementary-data in CI/CD Credential Theft | Trend Micro (US)
- TeamPCP: Threat Actor Profile | BreachNews
- Inside TeamPCP: The Supply Chain Attack That Didn’t Stop at Cisco | by Decoding Daily Tech News | Apr, 2026 | Medium
Sources & Methodology
This assessment draws on 12 dark-web forum posts (37 collected, then triaged and de-duplicated) across 8 sources (77169, breachforums_cz, pediy, probiv, rehub, t00ls, wsforum, xss_is), gathered via Flare over the past 3 months. Confidence levels above reflect the strength and corroboration of that evidence; see Intelligence Gaps for what it does not establish.
