Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: teampcp (22 articles)Clear

FBI warns TeamPCP poisons trusted developer tools to steal cloud credentials

The FBI has issued an alert about TeamPCP, a criminal group that compromises the developer and security tools organizations trust inside their build pipelines to steal cloud credentials at scale. Rather than targeting end users, TeamPCP injects malicious code into legitimate software such as the Trivy and KICS scanners and the LiteLLM library, then pushes trojanized updates that continuous integration systems pull in automatically. Its malware harvests AWS, Google Cloud, and Azure tokens, Kubernetes service-account credentials, and more. One technique the FBI highlights is taking over npm maintainer accounts by re-registering the maintainer's long-expired recovery email domain, then using password reset to publish malicious package versions.

Check
Check whether your build pipelines pulled trojanized versions of tools like Trivy, KICS, or LiteLLM, review the FBI's indicators, and audit whether any package maintainer accounts use expired recovery email domains.
Affected
Organizations whose CI/CD pipelines automatically pull developer and security tools, and maintainers whose npm recovery email domains have lapsed; TeamPCP uses these paths to steal cloud, Kubernetes, and registry credentials.
Fix
Pin GitHub Actions to commit hashes, rotate CI/CD secrets and cloud credentials, scope publishing tokens and enforce least privilege, require phishing-resistant MFA on publishing accounts, and delay installing brand-new package versions.

New Shai-Hulud wave poisons 19 scientific Python packages on PyPI

The ongoing Shai-Hulud supply-chain campaign has struck again, this time trojanizing 19 Python packages on PyPI, many of them popular bioinformatics tools like Dynamo, Spateo, CoolBox, and Napari-UFISH that have been downloaded hundreds of thousands of times. Discovered by Socket, the wave pushed 37 malicious package versions from what looks like a single compromised maintainer, each carrying code that steals developer secrets such as cloud keys and tokens, then uses them to spread further. PyPI has quarantined affected releases. The credential-stealing behavior and tactics match earlier Shai-Hulud activity tied to the group TeamPCP, whose worm code leaked publicly last month.

Check
Search Python environments, lock files, and CI build logs for the 19 affected packages (including Dynamo, Spateo, CoolBox, U-FISH, Napari-UFISH) installed during the malicious window.
Affected
Developers and research teams that installed the trojanized versions of the 19 PyPI scientific packages, especially bioinformatics workflows pulling Dynamo, Spateo, CoolBox, U-FISH, or Napari-UFISH.
Fix
Remove the malicious versions and pin to known-good releases, then rotate every developer, cloud, and CI credential exposed on machines that installed them. Rebuild from trusted sources.

Miasma worm hits 73 Microsoft GitHub repos, targets AI coding tools

The self-spreading Miasma worm, a variant of the Shai-Hulud malware linked to the group TeamPCP, has reached Microsoft's own code. Using a stolen access token, attackers pushed a malicious commit into the Azure durabletask repository, and GitHub disabled 73 repositories across four Microsoft organizations including Azure and MicrosoftDocs. The twist: the planted code runs automatically when a developer opens the project in an AI coding assistant like Claude Code, Cursor, Gemini CLI, or VS Code, then harvests cloud and developer credentials and uses them to infect more projects. It hides the trigger inside a build file (binding.gyp) that most security tools ignore.

Check
Search your GitHub orgs for commits, public repos, or build files matching Miasma naming patterns, and review AI coding agent configs (binding.gyp, agent rules) for unexpected auto-run payloads.
Affected
Organizations using npm, PyPI, or GitHub alongside AI coding assistants (Claude Code, Cursor, Gemini CLI, VS Code). Stolen maintainer tokens enable backdoored package and repo publishing.
Fix
Rotate GitHub, npm, and cloud credentials exposed to affected projects. Remove malicious commits and configs, enforce 2FA and short-lived tokens, and block install-time scripts in CI.

PCPJack hijacks 230 AWS, Google Cloud, and Azure servers into covert SMTP relay network using Sliver and Chisel, removes TeamPCP

SentinelOne and Hunt.io have detailed PCPJack, a credential-theft framework that hijacks cloud servers across AWS, Google Cloud, and Azure into a covert SMTP relay network - while terminating artifacts of the rival TeamPCP group. Built around a Sliver-integrated SMTP proxy toolkit with Chisel tunneling for multiple Linux architectures, it drops a hidden binary at /var/tmp/.xs and assigns each Sliver beacon a SOCKS5 port derived from an MD5 of its UUID. A deployer script runs an SMTP 'quality gate' probing outbound smtp.gmail.com:587 - hosts that cannot relay email are discarded. A C2-side Python daemon continuously prunes Chisel tunnels for SMTP capability. Around 230 servers were compromised.

Check
Hunt cloud Linux hosts for /var/tmp/.xs, Sliver and Chisel binaries, and outbound SMTP probes to smtp.gmail.com:587. Check for cron or systemd persistence. Apply SentinelOne and Hunt.io IoCs.
Affected
Internet-reachable cloud servers (AWS, Google Cloud, Azure) that attackers can compromise and that have outbound SMTP capability - the criterion PCPJack uses to select hosts for its relay network.
Fix
Block unneeded outbound SMTP (port 587/25) from cloud workloads. Remove Sliver/Chisel artifacts and persistence. Restrict egress, monitor for SOCKS5 tunneling, and rotate credentials on affected hosts.

CISA adds three to KEV: TanStack CVE-2026-45321 and Nx Console CVE-2026-48027 (TeamPCP) plus Daemon Tools Lite CVE-2026-8398

CISA has added three vulnerabilities to its Known Exploited Vulnerabilities catalog based on active-exploitation evidence. Two formally recognize the TeamPCP supply-chain wave that dominated mid-May: CVE-2026-45321 (TanStack) and CVE-2026-48027 (Nx Console embedded malicious code), the latter tied to the trojanized VS Code extension that led to GitHub's own 3,800-repo internal breach. The third, CVE-2026-8398, is an embedded-malicious-code flaw in the Daemon Tools Lite disc-imaging utility. FCEB agencies must remediate all three by the BOD 22-01 deadline; CISA urges all organizations to prioritize them. The additions confirm the supply-chain compromises moved from disclosure to documented in-the-wild exploitation.

Check
Confirm TanStack (CVE-2026-45321) and Nx Console (CVE-2026-48027) remediation from the mid-May supply-chain wave is complete. Inventory Daemon Tools Lite installs for CVE-2026-8398.
Affected
Organizations exposed to the TeamPCP supply-chain compromises (TanStack, Nx Console) and any endpoint running a vulnerable Daemon Tools Lite disc-imaging build. Federal agencies bound by BOD 22-01.
Fix
Remediate all three by CISA's KEV deadline. Verify Nx Console is 18.100.0+ and TanStack dependencies are clean. Remove or update Daemon Tools Lite. Rotate credentials from the supply-chain incidents.

GitHub confirms 3,800 internal repos stolen after employee installed malicious Nx Console VS Code extension (TeamPCP)

GitHub has confirmed that roughly 3,800 internal repositories were exfiltrated after one of its employees installed a malicious version of the Nx Console VS Code extension. The malicious extension has been pulled and the affected device has been isolated. GitHub's current assessment is that the activity was limited to internal repos and that no customer data stored outside them was touched. The numbers line up with the claim TeamPCP posted on Breached, where they offered the code for at least $50,000. The breach connects this week's Nx Console compromise to the broader TeamPCP campaign that also hit OpenAI and Grafana.

Check
Identify VS Code endpoints with the Nx Console extension. Confirm version is 18.100.0 or newer. Check for cat.py and kitty-monitor IoCs and outbound traffic to attacker C2 published by Nx.
Affected
Any developer machine that installed Nx Console 18.95.0 during the 11-minute window on May 18 (12:36-12:47 UTC). GitHub.com itself confirms 3,800 internal repos exfiltrated from one employee device.
Fix
Update to Nx Console 18.100.0. Audit access from GitHub-employee or contractor devices; rotate every credential, token, and SSH key reachable from machines that ran the trojanized version.

TeamPCP claims ~4,000 GitHub internal repos stolen and for sale on Breached forum, GitHub confirms investigation

GitHub said it is investigating after the cybercrime group TeamPCP listed 'GitHub's source code and internal orgs' for sale on the Breached forum, claiming access to about 4,000 internal repositories and asking at least $50,000. GitHub told BleepingComputer it has 'no evidence of impact to customer information stored outside of GitHub's internal repositories' and that customers will be alerted if that changes. TeamPCP is the same group behind the TanStack supply-chain attack that hit OpenAI and Grafana, the Aqua Trivy compromise, the LiteLLM infection, and the Mistral AI source-code theft. GitHub hosts code for 4 million organizations and 180 million developers.

Check
Audit GitHub Actions workflows for refs pulled via pull_request_target from forks. Inventory developer machines that synced internal-org repos in the last 30 days for unusual outbound git pushes.
Affected
GitHub.com users specifically: TeamPCP's claim is limited to GitHub's own internal repos so far. Downstream impact is possible if private code referencing customer secrets is leaked.
Fix
Wait for GitHub's official notification. Rotate any tokens or PATs that lived in repositories you suspect could be referenced by GitHub internal code, and assume secret-scanning rules might be reverse-engineered.

Shai-Hulud wave: 600+ npm @antv packages compromised in one hour, GitHub Action 'actions-cool' tag hijack linked

Between 01:56 and 02:56 UTC on May 19, a Shai-Hulud-flavored attack published 639 malicious versions across 323 npm packages, mostly in the @antv chart and graph namespace, after compromising the maintainer account 'atool.' Affected libraries include @antv/g2, @antv/g6, echarts-for-react, timeago.js, and jest-canvas-mock (still 10M monthly downloads despite three years dormant). A linked attack hijacked 15 tags of the 'actions-cool' GitHub Action and replaced them with a credential stealer that reads runner memory and exfils to t.m-kosche[.]com - the same domain as the @antv campaign. Socket and Aikido say there are now 2,900+ GitHub repos generated by this wave.

Check
Audit package lockfiles and CI logs for installs of any @antv/* package or timeago.js, size-sensor, jest-canvas-mock, echarts-for-react published on May 19. Search workflows for 'actions-cool/maintain-one-comment@<tag>' references.
Affected
Developers and CI/CD pipelines that installed @antv packages or used the actions-cool GitHub Actions between May 19 01:56 UTC and the npm registry takedown.
Fix
Pin GitHub Actions to full commit SHAs, not tags. Block egress to t.m-kosche.com. Rotate every developer token, npm token, cloud credential, and SSH key on machines that ran affected builds.

Grafana confirms its GitHub breach started with the TanStack npm supply-chain attack (TeamPCP)

Grafana Labs has confirmed that its previously disclosed GitHub breach started with the TanStack npm supply-chain attack run by TeamPCP, the same one that hit OpenAI and Mistral AI. Grafana detected the activity on May 11, rotated a significant number of GitHub workflow tokens, but one token slipped through and the attacker used it to pull Grafana's codebase. The downstream extortion attempt under the CoinbaseCartel banner came on May 16 and Grafana refused to pay, citing FBI guidance. The incident chains TeamPCP's TanStack OIDC-token theft into a directly observable secondary breach at a major observability vendor.

Check
If you maintained or rebuilt Grafana forks since May 11, or used Grafana Labs GitHub Actions, audit CI logs and outbound traffic against TanStack-attack IoCs published by Wiz and Snyk.
Affected
Grafana Labs (codebase, already public). New attribution links the breach to the TanStack supply-chain attack. No direct customer or Grafana Cloud impact reported.
Fix
Adopt OIDC trusted publishing. Treat GitHub Actions workflow tokens as short-lived and rotate aggressively. Seed canary tokens in private repos - Grafana detected this breach via a canary trigger.

TeamPCP Shai-Hulud aftermath: OpenAI rotates macOS code-signing certificates after employee devices breached, TeamPCP advertises 450 Mistral AI source repositories for $25K

Two days after the Mini Shai-Hulud worm tore through TanStack and Mistral AI packages, the named-victim count grew sharply. OpenAI confirmed that two employee devices were compromised through the TanStack supply-chain chain and that a limited subset of internal source code repositories had credential material exfiltrated; the company is rotating its macOS code-signing certificates and tells Mac users they must update ChatGPT Desktop, Codex, and Atlas apps by June 12, 2026, or the apps will stop launching. TeamPCP separately listed 450 Mistral AI private repositories on a criminal forum for 25,000 dollars. Mistral confirmed a codebase management system was temporarily compromised on May 12 but says hosted services and user data were not impacted.

Check
Audit which developer workstations had any TanStack, Mistral AI, UiPath, OpenSearch, or Guardrails AI npm or PyPI packages installed since May 8, and review GitHub audit logs for token use from those machines.
Affected
Mac users of OpenAI ChatGPT Desktop, OpenAI Codex CLI, and Atlas browser apps - signed with the rotated certificates and must update before June 12, 2026. Customers of Mistral AI relying on private repos for SDK pinning.
Fix
Update affected OpenAI macOS apps before June 12. Rotate GitHub PATs, npm and PyPI tokens, cloud secrets, and SSH keys exposed on impacted developer machines. Pin Mistral and TanStack packages to known-clean releases.