TeamPCP
Coverage of TeamPCP in the Nexus archive.
- Miasma worms its way onto GitHub as attack kit goes open source
The Miasma worm, a supply-chain attack toolkit, was open-sourced on GitHub via compromised developer accounts, enabling attacks on public registries and repositories. SafeDep identified the malicious repositories, which allow credential-based attacks on platforms like PyPI, npm, and GitHub, following a pattern similar to TeamPCP's earlier mini Shai-Hulud worm. The release has raised concerns about supply-chain security, with 473 affected package artifacts tracked by Socket.
- Shai-Hulud malware worms Red Hat npm package versions downloaded 80K times a week
Security researchers discovered malware in 32 Red Hat npm package releases, which were downloaded 80,000 times weekly. The Mini Shai-Hulud worm, linked to TeamPCP, was embedded via a compromised GitHub account, stealing credentials and enabling supply chain propagation. Red Hat removed the packages, stating they were internal and not used in customer systems.
- The Hackers Behind Shai-Hulud: Lucky or Skilled?
TeamPCP, the hackers behind the Shai-Hulud worm, has caused significant damage to the open source ecosystem. The article questions whether their success stems from skill or luck, suggesting their impact may not be solely due to technical expertise.
- Megalodon chums the waters in 5.5K+ GitHub repo poisonings
A malware campaign called Megalodon poisoned over 5,500 GitHub repositories with CI/CD credential-stealing malware, stealing AWS keys, Google Cloud tokens, and other sensitive credentials. The attack, discovered by SafeDep researchers, was distributed through a compromised Tiledesk package on npm, marking an escalation in supply chain attacks targeting developers.
- A hacker group is poisoning open source code at an unprecedented scale
A hacker group called TeamPCP has breached GitHub through a poisoned VSCode extension installed by a developer, compromising approximately 3,800-4,000 repositories containing GitHub's internal source code. The attack represents an escalation in software supply chain attacks, with TeamPCP now conducting such breaches on a near-weekly basis and extorting victims. The group is attempting to sell GitHub's source code and internal organization data on BreachForums.
- CISA chief frets about open-source vulnerabilities, delayed security improvements
CISA acting director Nick Andersen expressed concern about vulnerabilities in open-source software that underpins modern digital infrastructure, citing recent attacks by North Korean group TeamPCP. He emphasized the need for hard security decisions and modified approaches to vulnerability management, while noting the U.S. has delayed necessary security improvements and accumulated significant technical debt.
- A Hacker Group Is Poisoning Open Source Code at an Unprecedented Scale
A hacker group called TeamPCP has conducted widespread software supply chain attacks targeting open source code on GitHub and impacting hundreds of organizations. This represents an unprecedented scale of coordinated attacks on the open source ecosystem. GitHub is identified as one of the latest victims of this campaign.
- GitHub Confirms Breach, 4K Internal Repos Stolen
GitHub confirmed a data breach involving the theft of thousands of internal repositories. A threat actor called TeamPCP took credit for the breach, which affected over 4,000 internal repos. The breach highlights a significant security concern for the open source software giant.
- GitHub Confirms 3,800 Internal Repos Stolen Through Poisoned VS Code Extension
GitHub confirmed that 3,800 internal repositories were stolen through a poisoned Visual Studio Code extension. The breach occurred after an employee installed a malicious coding tool, giving TeamPCP access to GitHub's private source code. This incident highlights a significant security vulnerability.
- GitHub says internal repositories were taken in poisoned VS Code extension attack
GitHub internal repositories were compromised through a poisoned Visual Studio Code extension, with the company detecting and containing the compromise and rotating critical secrets. The incident underscores growing risks in software development platforms. GitHub assesses that only internal repositories were affected.
- GitHub confirms being hacked by TeamPCP, says customer data unaffected
GitHub confirmed a security breach by TeamPCP, who advertised stolen source code on a cybercrime forum, but GitHub claims customer data was unaffected. The breach affects GitHub, which hosts code for over 100 million developers worldwide. GitHub announced the breach on social media.
- GitHub says internal repos exfiltrated after poisoned VS Code extension attack
GitHub was compromised due to a malicious Visual Studio Code extension, resulting in the exfiltration of internal repositories. The company is analyzing logs and monitoring for further activity. The incident has raised concerns about the security of private repositories and credentials.
- GitHub investigates internal repositories breach claimed by TeamPCP
GitHub is investigating a breach of its internal repositories after TeamPCP claimed to have accessed approximately 4,000 repositories containing private code. The breach may expose sensitive information. GitHub is taking steps to address the issue.
- GitHub Investigating TeamPCP Claimed Breach of ~4,000 Internal Repositories
GitHub is investigating a potential breach of around 4,000 internal repositories after TeamPCP listed the platform's source code and internal organizations for sale on a cybercrime forum. There is currently no evidence of impact to customer information stored outside of GitHub's internal repositories. The incident is being investigated by GitHub.
- Mini Shai-Hulud returns, compromising hundreds of npm packages
A self-replicating malware campaign known as Mini Shai-Hulud has resurfaced, embedding itself across hundreds of npm packages and compromising developer environments. The threat actor behind it, TeamPCP, has been linked to earlier waves of the same campaign. The malware can spread autonomously and install persistent backdoors at the operating system level.
- Shai-Hulud copycat worm infects yet another npm package
A Shai-Hulud copycat worm has been found in another npm package, chalk-tempalte, which is a malicious extension of the popular JavaScript library Chalk. The poisoned package contains a clone of Shai-Hulud, which steals secrets and sends them to a remote server. Four malicious packages have been detected, with a total of 2,678 weekly downloads.
- TanStack weighs invitation-only pull requests after supply chain attack
The TanStack team is considering making pull requests invitation-only after a supply chain attack used malicious code from the Shai-Hulud worm. The attack poisoned a cache used across the entire repository and led to security measures being proposed. The team is weighing the benefits of increased security against potential deterrents to contributions.
- Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware
Cybersecurity researchers discovered four malicious npm packages containing information-stealing malware and DDoS malware. The packages have a total of 3006 downloads. One of the packages is a clone of the Shai-Hulud worm.
- OpenAI caught in TanStack npm supply chain chaos after employee devices compromised
OpenAI was caught up in the TanStack npm supply chain compromise after employee devices were compromised, forcing the company to rotate signing certificates for several desktop products. The incident is part of a wider campaign targeting npm ecosystems and developer infrastructure. No customer data or production systems were compromised.
- TeamPCP hackers advertise Mistral AI code repos for sale
The TeamPCP hacker group is threatening to leak source code from the Mistral AI project unless a buyer is found for the data. The hackers are advertising the code repos for sale. This poses a significant security risk for Mistral AI.
- Malware crew TeamPCP open-sources its Shai-Hulud worm on GitHub
The malware crew TeamPCP has open-sourced its Shai-Hulud worm on GitHub, allowing any actor to modify and expand its reach. The worm attacks npm packages and looks for credentials for users of cloud services. Security outfit Ox has spotted the repos and believes that independent threat actors have already begun modifying it.
- ‘Mini Shai-Hulud’ malware compromises hundreds of open-source packages in sprawling supply-chain attack
A malware campaign known as 'mini Shai-Hulud' has compromised hundreds of open-source packages, embedding credential-stealing code into development tools downloaded millions of times a week. The attack targeted prominent software libraries and infected thousands of companies at once. Security researchers attribute the campaign to TeamPCP, a cloud-focused cybercriminal group.
- Worm Redux: Fresh Mini Shai-Hulud Infections Bite Supply Chain
A worm from TeamPCP has infected hundreds of npm packages related to the TanStack ecosystem, posing a threat to the supply chain. The self-propagating worm is capable of stealing credentials. This incident highlights a significant security risk in the open-source community.
- Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages
TeamPCP has compromised npm and PyPI packages from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI as part of a Mini Shai-Hulud campaign. The affected packages include an obfuscated JavaScript file designed to profile execution. This compromise is part of a recent supply chain attack spree.
- TeamPCP Compromises Checkmarx Jenkins AST Plugin Weeks After KICS Supply Chain Attack
Checkmarx confirmed a modified version of the Jenkins AST plugin was published to the Jenkins Marketplace after a supply chain attack. Users are advised to use version 2.0.13-829.vc72453fa_1c16 or previously. The incident occurred weeks after the KICS supply chain attack.
- Checkmarx tackles another TeamPCP intrusion as Jenkins plugin sabotaged
Checkmarx's Jenkins plugin was sabotaged by TeamPCP, a malicious group that has compromised the company's packages multiple times. The compromised plugin was available on the Jenkins Marketplace and could have given attackers access to source code and secrets. Checkmarx is working to remove the malicious version and update customers.
- Worm rubs out competitor's malware, then takes control
A mysterious worm called PCPJack is removing TeamPCP infections from cloud instances and taking control, harvesting credentials and spreading to new targets. The worm was discovered by SentinelOne's SentinelLabs researchers in late April. It targets various services including Docker, Kubernetes, and MongoDB.
- After Replacing TeamPCP Malware, 'PCPJack' Steals Cloud Secrets
PCPJack malware replaces TeamPCP, using parquet files for stealthy target discovery in cloud environments. It canvasses multiple cloud environments, making innovative use of parquet files. This new malware poses a significant threat to cloud security.
- New PCPJack worm steals credentials, cleans TeamPCP infections
A new malware framework called PCPJack is stealing credentials from exposed cloud infrastructure and removing TeamPCP's access to systems. This malware framework is targeting cloud infrastructure and removing existing infections. The goal of PCPJack appears to be stealing sensitive information.
- Hackers hack victims hacked by other hackers
An unknown group of hackers is breaking into systems previously breached by TeamPCP, kicking them out and removing their hacking tools. The victims' systems are being targeted by this new group of hackers. This new development indicates a possible shift in the cybercrime landscape.
- PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systems
Cybersecurity researchers have discovered a new credential theft framework called PCPJack that targets exposed cloud infrastructure and steals credentials from various services. The framework exploits five CVEs to spread worm-like across cloud systems. It harvests credentials and exfiltrates data through attacker-controlled infrastructure.
- TeamPCP Hits SAP Packages With 'Mini Shai-Hulud' Attack
Several npm packages for SAP's cloud application development ecosystem have been compromised by TeamPCP's 'Mini Shai-Hulud' supply chain attack, expanding the group's cyberattack activities.
- Official SAP npm packages compromised to steal credentials
Multiple official SAP npm packages were compromised in a TeamPCP supply-chain attack, aiming to steal developer credentials and authentication tokens. The breach highlights vulnerabilities in software supply chains and developer security practices.
- Vect 2.0 Ransomware Acts as Wiper, Thanks to Design Error
Vect 2.0 Ransomware, used in TeamPCP supply chain attacks, functions as a data-wiping tool due to a design error, rendering decryption attempts ineffective. Experts warn against paying ransomware demands in such cases.
- Another npm supply chain worm is tearing through dev environments
Another npm supply chain attack is spreading through compromised packages, stealing secrets and sensitive data from developers' environments. The attack shares similarities with previous infections linked to the TeamPCP group and references a 'TeamPCP/LiteLLM method' in its payload.
- Blast Radius of TeamPCP Attacks Expands Amid Hacker Infighting
The article discusses expanding supply chain attacks attributed to TeamPCP, with ShinyHunters and Lapsus$ now involved in the breaches and claiming credit. This infighting among hackers complicates incident response for affected organizations.
- TeamPCP Breaches Cloud, SaaS Instances With Stolen Credentials
The threat group TeamPCP is breaching cloud and SaaS instances using stolen credentials, targeting AWS, Azure, and other platforms. Organizations are urged to act swiftly to mitigate risks from compromised credentials.
- ‘CanisterWorm’ Springs Wiper Attack Targeting Iran
A financially motivated data theft and extortion group known as TeamPCP is using a worm called CanisterWorm to wipe data on infected systems that use Iran’s time zone or have Farsi set as the default language.