TeamPCP fast-moving open-source package supply-chain campaign
Campaign
Summary
Hide ▲
Show ▼
The TeamPCP campaign is broadening its open-source supply-chain targeting, putting PyPI developers and automated build systems at risk of installing trojanized packages. Recent compromises span Trivy, LiteLLM, and Telnyx, showing repeated pressure on trusted Python software distribution paths. The short gap between the latest compromises suggests the operators are iterating quickly across targets rather than acting opportunistically.
Related Happenings
TeamPCP uses Shai-Hulud release to build access-broker monetization pipeline
Threat Actor Meta
H score16
First: 18.05.2026 22:53
Last: 18.05.2026 22:53
Sources 1
About this happening:
**TeamPCP** is being framed as using the **Shai-Hulud** source-code release to drive an **access broker** business, turning worm distribution into a credential-monetization pipeli...
TeamPCP uses Shai-Hulud release to build access-broker monetization pipeline
Threat Actor MetaAbout this happening: **TeamPCP** is being framed as using the **Shai-Hulud** source-code release to drive an **access broker** business, turning worm distribution into a credential-monetization pipeli...
Mini Shai-Hulud supply-chain campaign targeting npm and PyPI
Campaign
H score45
First: 12.05.2026 17:45
Last: 12.05.2026 17:45
Sources 1
About this happening:
The **Mini Shai-Hulud** **supply-chain campaign** linked to **TeamPCP** expanded into downstream victim reporting, including **Grafana Labs**. Grafana said its **GitHub environmen...
Mini Shai-Hulud supply-chain campaign targeting npm and PyPI
CampaignAbout this happening: The **Mini Shai-Hulud** **supply-chain campaign** linked to **TeamPCP** expanded into downstream victim reporting, including **Grafana Labs**. Grafana said its **GitHub environmen...
Latest development: 21.05.2026 11:00
Grafana Labs said its GitHub environment was accessed and its codebase downloaded, with additional internal operational information taken from GitHub repositories, after compromise linked to the Mini Shai-Hulud campaign and TanStack npm packages. Grafana said it first spotted malicious activity on May 11, discovered the unauthorized download on May 17, and after contact from the ransom gang rotated automation tokens, enabled enhanced monitoring, audited commits since the May 11 incident, and hardened its GitHub security posture, while saying there is no indication customer production systems or operations were compromised.
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
Campaign
H score56
First: 12.05.2026 14:29
Last: 12.05.2026 14:29
Sources 1
About this happening:
The **Shai-Hulud** **supply-chain campaign** now includes a fresh **PyPI** wave that compromised **19 packages** across **37 malicious releases**, with popular bioinformatics tool...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
CampaignAbout this happening: The **Shai-Hulud** **supply-chain campaign** now includes a fresh **PyPI** wave that compromised **19 packages** across **37 malicious releases**, with popular bioinformatics tool...
TeamPCP Mini Shai-Hulud npm supply-chain campaign
Campaign
H score75
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **TeamPCP**-linked **Mini Shai-Hulud** campaign is an active **npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread tro...
TeamPCP Mini Shai-Hulud npm supply-chain campaign
CampaignAbout this happening: The **TeamPCP**-linked **Mini Shai-Hulud** campaign is an active **npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread tro...
Mini Shai-Hulud npm supply-chain malware wave
Malware Activity
H score68
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...
Mini Shai-Hulud npm supply-chain malware wave
Malware ActivityAbout this happening: The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...
Latest development: 09.06.2026 18:42
On June 5, Microsoft removed 73 repositories across its Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations on GitHub after concerns about potential malicious content tied to the Miasma/Shai-Hulud supply-chain campaign. The action disrupted continuous integration pipelines and broke workflows that depended on Azure/functions-action, while Microsoft said it temporarily removed some repositories during its investigation.
Timeline
-
13.04.2026 09:50 1 articles · 2mo ago
TeamPCP expands supply-chain campaign through malicious Axios
Campaign Scope UpdateTeamPCP's supply-chain activity broadened when an OpenAI GitHub Actions workflow used to sign ChatGPT Desktop, Codex, Codex CLI, and Atlas downloaded Axios version 1.14.1 on March 31, 2026. OpenAI said it found no evidence that user data, internal systems, or intellectual property were compromised and is revoking and rotating the signing certificate.
Show sources
- OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident — thehackernews.com — 13.04.2026 09:50
-
27.03.2026 17:06 1 articles · 3mo ago
TeamPCP Telnyx package compromise disclosed
Initial DisclosureOn March 27, Socket and Endor Labs disclosed that the official Telnyx Python SDK on PyPI had been compromised in a software supply chain attack. Malicious versions 4.87.1 and 4.87.2 were designed to run at install time, steal SSH private keys and bash history files, and send the data to an attacker-controlled server after a maintainer account compromise, with Aikido Security and Wiz independently reaching the same conclusion.
Show sources
- TeamPCP Targets Telnyx Package in Latest PyPI Software Supply Chain Attack — www.infosecurity-magazine.com — 27.03.2026 17:06