Skip to content
The Nexus
DossierENTITY

TeamPCP

Coverage of TeamPCP in the Nexus archive.

Earliest in view: Mar 23 · 15:43 UTCMost recent: Jun 9 · 18:05 UTC
Co-mentioned in this coverage
Recent coverage
  • SECURITYJun 9 · 18:05 UTCTHE REGISTER
    Miasma worms its way onto GitHub as attack kit goes open source

    The Miasma worm, a supply-chain attack toolkit, was open-sourced on GitHub via compromised developer accounts, enabling attacks on public registries and repositories. SafeDep identified the malicious repositories, which allow credential-based attacks on platforms like PyPI, npm, and GitHub, following a pattern similar to TeamPCP's earlier mini Shai-Hulud worm. The release has raised concerns about supply-chain security, with 473 affected package artifacts tracked by Socket.

  • SECURITYJun 1 · 21:54 UTCTHE REGISTER
    Shai-Hulud malware worms Red Hat npm package versions downloaded 80K times a week

    Security researchers discovered malware in 32 Red Hat npm package releases, which were downloaded 80,000 times weekly. The Mini Shai-Hulud worm, linked to TeamPCP, was embedded via a compromised GitHub account, stealing credentials and enabling supply chain propagation. Red Hat removed the packages, stating they were internal and not used in customer systems.

  • SECURITYMay 26 · 19:18 UTCDARK READING
    The Hackers Behind Shai-Hulud: Lucky or Skilled?

    TeamPCP, the hackers behind the Shai-Hulud worm, has caused significant damage to the open source ecosystem. The article questions whether their success stems from skill or luck, suggesting their impact may not be solely due to technical expertise.

  • SECURITYMay 22 · 18:57 UTCTHE REGISTER
    Megalodon chums the waters in 5.5K+ GitHub repo poisonings

    A malware campaign called Megalodon poisoned over 5,500 GitHub repositories with CI/CD credential-stealing malware, stealing AWS keys, Google Cloud tokens, and other sensitive credentials. The attack, discovered by SafeDep researchers, was distributed through a compromised Tiledesk package on npm, marking an escalation in supply chain attacks targeting developers.

  • SECURITYMay 22 · 10:30 UTCARS TECHNICA
    A hacker group is poisoning open source code at an unprecedented scale

    A hacker group called TeamPCP has breached GitHub through a poisoned VSCode extension installed by a developer, compromising approximately 3,800-4,000 repositories containing GitHub's internal source code. The attack represents an escalation in software supply chain attacks, with TeamPCP now conducting such breaches on a near-weekly basis and extorting victims. The group is attempting to sell GitHub's source code and internal organization data on BreachForums.

  • SECURITYMay 21 · 17:05 UTCCYBERSCOOP
    CISA chief frets about open-source vulnerabilities, delayed security improvements

    CISA acting director Nick Andersen expressed concern about vulnerabilities in open-source software that underpins modern digital infrastructure, citing recent attacks by North Korean group TeamPCP. He emphasized the need for hard security decisions and modified approaches to vulnerability management, while noting the U.S. has delayed necessary security improvements and accumulated significant technical debt.

  • SECURITYMay 21 · 09:00 UTCWIRED
    A Hacker Group Is Poisoning Open Source Code at an Unprecedented Scale

    A hacker group called TeamPCP has conducted widespread software supply chain attacks targeting open source code on GitHub and impacting hundreds of organizations. This represents an unprecedented scale of coordinated attacks on the open source ecosystem. GitHub is identified as one of the latest victims of this campaign.

  • SECURITYMay 20 · 20:51 UTCDARK READING
    GitHub Confirms Breach, 4K Internal Repos Stolen

    GitHub confirmed a data breach involving the theft of thousands of internal repositories. A threat actor called TeamPCP took credit for the breach, which affected over 4,000 internal repos. The breach highlights a significant security concern for the open source software giant.

  • SECURITYMay 20 · 16:54 UTCDECRYPT
    GitHub Confirms 3,800 Internal Repos Stolen Through Poisoned VS Code Extension

    GitHub confirmed that 3,800 internal repositories were stolen through a poisoned Visual Studio Code extension. The breach occurred after an employee installed a malicious coding tool, giving TeamPCP access to GitHub's private source code. This incident highlights a significant security vulnerability.

  • SECURITYMay 20 · 14:48 UTCCYBERSCOOP
    GitHub says internal repositories were taken in poisoned VS Code extension attack

    GitHub internal repositories were compromised through a poisoned Visual Studio Code extension, with the company detecting and containing the compromise and rotating critical secrets. The incident underscores growing risks in software development platforms. GitHub assesses that only internal repositories were affected.

  • SECURITYMay 20 · 12:21 UTCRECORDED FUTURE NEWS
    GitHub confirms being hacked by TeamPCP, says customer data unaffected

    GitHub confirmed a security breach by TeamPCP, who advertised stolen source code on a cybercrime forum, but GitHub claims customer data was unaffected. The breach affects GitHub, which hosts code for over 100 million developers worldwide. GitHub announced the breach on social media.

  • SECURITYMay 20 · 10:27 UTCTHE REGISTER
    GitHub says internal repos exfiltrated after poisoned VS Code extension attack

    GitHub was compromised due to a malicious Visual Studio Code extension, resulting in the exfiltration of internal repositories. The company is analyzing logs and monitoring for further activity. The incident has raised concerns about the security of private repositories and credentials.

  • SECURITYMay 20 · 05:08 UTCBLEEPING COMPUTER
    GitHub investigates internal repositories breach claimed by TeamPCP

    GitHub is investigating a breach of its internal repositories after TeamPCP claimed to have accessed approximately 4,000 repositories containing private code. The breach may expose sensitive information. GitHub is taking steps to address the issue.

  • SECURITYMay 20 · 04:01 UTCTHE HACKER NEWS
    GitHub Investigating TeamPCP Claimed Breach of ~4,000 Internal Repositories

    GitHub is investigating a potential breach of around 4,000 internal repositories after TeamPCP listed the platform's source code and internal organizations for sale on a cybercrime forum. There is currently no evidence of impact to customer information stored outside of GitHub's internal repositories. The incident is being investigated by GitHub.

  • SECURITYMay 19 · 15:28 UTCCYBERSCOOP
    Mini Shai-Hulud returns, compromising hundreds of npm packages

    A self-replicating malware campaign known as Mini Shai-Hulud has resurfaced, embedding itself across hundreds of npm packages and compromising developer environments. The threat actor behind it, TeamPCP, has been linked to earlier waves of the same campaign. The malware can spread autonomously and install persistent backdoors at the operating system level.

  • SECURITYMay 18 · 22:07 UTCTHE REGISTER
    Shai-Hulud copycat worm infects yet another npm package

    A Shai-Hulud copycat worm has been found in another npm package, chalk-tempalte, which is a malicious extension of the popular JavaScript library Chalk. The poisoned package contains a clone of Shai-Hulud, which steals secrets and sends them to a remote server. Four malicious packages have been detected, with a total of 2,678 weekly downloads.

  • SECURITYMay 18 · 14:15 UTCTHE REGISTER
    TanStack weighs invitation-only pull requests after supply chain attack

    The TanStack team is considering making pull requests invitation-only after a supply chain attack used malicious code from the Shai-Hulud worm. The attack poisoned a cache used across the entire repository and led to security measures being proposed. The team is weighing the benefits of increased security against potential deterrents to contributions.

  • SECURITYMay 18 · 08:57 UTCTHE HACKER NEWS
    Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware

    Cybersecurity researchers discovered four malicious npm packages containing information-stealing malware and DDoS malware. The packages have a total of 3006 downloads. One of the packages is a clone of the Shai-Hulud worm.

  • SECURITYMay 15 · 10:08 UTCTHE REGISTER
    OpenAI caught in TanStack npm supply chain chaos after employee devices compromised

    OpenAI was caught up in the TanStack npm supply chain compromise after employee devices were compromised, forcing the company to rotate signing certificates for several desktop products. The incident is part of a wider campaign targeting npm ecosystems and developer infrastructure. No customer data or production systems were compromised.

  • SECURITYMay 14 · 22:50 UTCBLEEPING COMPUTER
    TeamPCP hackers advertise Mistral AI code repos for sale

    The TeamPCP hacker group is threatening to leak source code from the Mistral AI project unless a buyer is found for the data. The hackers are advertising the code repos for sale. This poses a significant security risk for Mistral AI.

  • SECURITYMay 13 · 06:23 UTCTHE REGISTER
    Malware crew TeamPCP open-sources its Shai-Hulud worm on GitHub

    The malware crew TeamPCP has open-sourced its Shai-Hulud worm on GitHub, allowing any actor to modify and expand its reach. The worm attacks npm packages and looks for credentials for users of cloud services. Security outfit Ox has spotted the repos and believes that independent threat actors have already begun modifying it.

  • SECURITYMay 12 · 21:38 UTCCYBERSCOOP
    ‘Mini Shai-Hulud’ malware compromises hundreds of open-source packages in sprawling supply-chain attack

    A malware campaign known as 'mini Shai-Hulud' has compromised hundreds of open-source packages, embedding credential-stealing code into development tools downloaded millions of times a week. The attack targeted prominent software libraries and infected thousands of companies at once. Security researchers attribute the campaign to TeamPCP, a cloud-focused cybercriminal group.

  • SECURITYMay 12 · 11:07 UTCDARK READING
    Worm Redux: Fresh Mini Shai-Hulud Infections Bite Supply Chain

    A worm from TeamPCP has infected hundreds of npm packages related to the TanStack ecosystem, posing a threat to the supply chain. The self-propagating worm is capable of stealing credentials. This incident highlights a significant security risk in the open-source community.

  • SECURITYMay 12 · 08:50 UTCTHE HACKER NEWS
    Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages

    TeamPCP has compromised npm and PyPI packages from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI as part of a Mini Shai-Hulud campaign. The affected packages include an obfuscated JavaScript file designed to profile execution. This compromise is part of a recent supply chain attack spree.

  • SECURITYMay 11 · 18:30 UTCTHE HACKER NEWS
    TeamPCP Compromises Checkmarx Jenkins AST Plugin Weeks After KICS Supply Chain Attack

    Checkmarx confirmed a modified version of the Jenkins AST plugin was published to the Jenkins Marketplace after a supply chain attack. Users are advised to use version 2.0.13-829.vc72453fa_1c16 or previously. The incident occurred weeks after the KICS supply chain attack.

  • SECURITYMay 11 · 12:11 UTCTHE REGISTER
    Checkmarx tackles another TeamPCP intrusion as Jenkins plugin sabotaged

    Checkmarx's Jenkins plugin was sabotaged by TeamPCP, a malicious group that has compromised the company's packages multiple times. The compromised plugin was available on the Jenkins Marketplace and could have given attackers access to source code and secrets. Checkmarx is working to remove the malicious version and update customers.

  • SECURITYMay 8 · 17:26 UTCTHE REGISTER
    Worm rubs out competitor's malware, then takes control

    A mysterious worm called PCPJack is removing TeamPCP infections from cloud instances and taking control, harvesting credentials and spreading to new targets. The worm was discovered by SentinelOne's SentinelLabs researchers in late April. It targets various services including Docker, Kubernetes, and MongoDB.

  • SECURITYMay 7 · 20:43 UTCDARK READING
    After Replacing TeamPCP Malware, 'PCPJack' Steals Cloud Secrets

    PCPJack malware replaces TeamPCP, using parquet files for stealthy target discovery in cloud environments. It canvasses multiple cloud environments, making innovative use of parquet files. This new malware poses a significant threat to cloud security.

  • SECURITYMay 7 · 18:35 UTCBLEEPING COMPUTER
    New PCPJack worm steals credentials, cleans TeamPCP infections

    A new malware framework called PCPJack is stealing credentials from exposed cloud infrastructure and removing TeamPCP's access to systems. This malware framework is targeting cloud infrastructure and removing existing infections. The goal of PCPJack appears to be stealing sensitive information.

  • SECURITYMay 7 · 18:28 UTCTECHCRUNCH
    Hackers hack victims hacked by other hackers

    An unknown group of hackers is breaking into systems previously breached by TeamPCP, kicking them out and removing their hacking tools. The victims' systems are being targeted by this new group of hackers. This new development indicates a possible shift in the cybercrime landscape.

  • SECURITYMay 7 · 17:45 UTCTHE HACKER NEWS
    PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systems

    Cybersecurity researchers have discovered a new credential theft framework called PCPJack that targets exposed cloud infrastructure and steals credentials from various services. The framework exploits five CVEs to spread worm-like across cloud systems. It harvests credentials and exfiltrates data through attacker-controlled infrastructure.

  • SECURITYApr 30 · 21:01 UTCDARK READING
    TeamPCP Hits SAP Packages With 'Mini Shai-Hulud' Attack

    Several npm packages for SAP's cloud application development ecosystem have been compromised by TeamPCP's 'Mini Shai-Hulud' supply chain attack, expanding the group's cyberattack activities.

  • SECURITYApr 29 · 22:43 UTCBLEEPING COMPUTER
    Official SAP npm packages compromised to steal credentials

    Multiple official SAP npm packages were compromised in a TeamPCP supply-chain attack, aiming to steal developer credentials and authentication tokens. The breach highlights vulnerabilities in software supply chains and developer security practices.

  • SECURITYApr 29 · 15:23 UTCDARK READING
    Vect 2.0 Ransomware Acts as Wiper, Thanks to Design Error

    Vect 2.0 Ransomware, used in TeamPCP supply chain attacks, functions as a data-wiping tool due to a design error, rendering decryption attempts ineffective. Experts warn against paying ransomware demands in such cases.

  • SECURITYApr 22 · 22:34 UTCTHE REGISTER
    Another npm supply chain worm is tearing through dev environments

    Another npm supply chain attack is spreading through compromised packages, stealing secrets and sensitive data from developers' environments. The attack shares similarities with previous infections linked to the TeamPCP group and references a 'TeamPCP/LiteLLM method' in its payload.

  • SECURITYApr 3 · 15:11 UTCDARK READING
    Blast Radius of TeamPCP Attacks Expands Amid Hacker Infighting

    The article discusses expanding supply chain attacks attributed to TeamPCP, with ShinyHunters and Lapsus$ now involved in the breaches and claiming credit. This infighting among hackers complicates incident response for affected organizations.

  • SECURITYMar 31 · 20:02 UTCDARK READING
    TeamPCP Breaches Cloud, SaaS Instances With Stolen Credentials

    The threat group TeamPCP is breaching cloud and SaaS instances using stolen credentials, targeting AWS, Azure, and other platforms. Organizations are urged to act swiftly to mitigate risks from compromised credentials.

  • SECURITYMar 23 · 15:43 UTCKREBS ON SECURITY
    ‘CanisterWorm’ Springs Wiper Attack Targeting Iran

    A financially motivated data theft and extortion group known as TeamPCP is using a worm called CanisterWorm to wipe data on infected systems that use Iran’s time zone or have Farsi set as the default language.

TeamPCP · Dossier · The Nexus