Find notable cyber news and cases, enriched with sources, timelines, and signals.

TeamPCP supply-chain credential-exploitation campaign

Campaign
First reported
Last updated
Happening score
H score 34
3 unique sources, 3 articles

Summary

Hide ▲

The TeamPCP campaign now includes a confirmed GitHub compromise tied to a poisoned Nx Console VS Code extension. GitHub said the breach of its internal repositories came from an employee device compromise, and the attack is attributed to TeamPCP, which reportedly exfiltrated about 3,800 repositories. The trojanized extension was published on Visual Studio Marketplace for 18 minutes on May 18, 2026 and was used to deploy a credential stealer targeting 1Password, Anthropic Claude Code, npm, GitHub, and AWS. This adds another supply-chain path to the campaign's existing pattern of abusing trusted developer tooling to steal reusable secrets.

Related Happenings

Single organization's private GitHub repository cloned after confirmed access

Data Leak
H score12 First: 09.07.2026 21:38 Last: 09.07.2026 21:38 Sources 1

About this happening: **Confirmed access** to a **private GitHub repository** belonging to **one organization** marks a concrete **data exposure** and raises the risk of source-code or internal-content...

Malicious npm and PyPI payment SDK typosquat packages

Malware Activity
H score40 First: 09.07.2026 18:09 Last: 09.07.2026 18:09 Sources 1

About this happening: The **17 malicious npm and PyPI packages** targeted **Paysafe, Skrill, and Neteller SDKs** to steal **system information** and **developer secrets**, then send the data to an **Ng...

Malicious npm and PyPI Paysafe, Skrill, and Neteller SDK packages delivering stealer malware

Malware Activity
H score37 First: 08.07.2026 22:54 Last: 08.07.2026 22:54 Sources 1

About this happening: Malicious **npm** and **PyPI** packages impersonating **Paysafe**, **Skrill**, and **Neteller** SDKs delivered **stealer malware** that siphoned secrets from developer environment...

North Korean Contagious Interview PolinRider supply-chain campaign

Campaign
H score51 First: 04.07.2026 14:17 Last: 04.07.2026 14:17 Sources 1

About this happening: The **Contagious Interview / PolinRider** campaign is still active, with **108 unique packages and browser extensions** published across **npm, Packagist, Go, and Google Chrome**....

Vect and TeamPCP industrialize ransomware through a supply-chain credential-theft alliance

Threat Actor Meta
H score67 First: 03.07.2026 14:30 Last: 03.07.2026 14:30 Sources 1

About this happening: **Vect** and **TeamPCP** formed a new **ransomware-as-a-service** partnership that combines **supply-chain credential theft** with extortion, expanding the risk of follow-on attac...

Timeline

  1. 12.05.2026 01:03 2 articles · 1mo ago

    TeamPCP compromises Checkmarx Jenkins AST plugin

    Campaign Scope Update

    TeamPCP compromised the Checkmarx Jenkins AST plugin by publishing a rogue version to repo.jenkins-ci.org on May 9, 2026, outside the official release pipeline. The malicious upload was tied to access to Checkmarx GitHub repositories and was used to deliver credential-stealing malware and malicious code to the affected organization.

    Show sources
  2. 30.03.2026 03:00 1 articles · 3mo ago

    Wiz reports TeamPCP monetizing stolen supply-chain secrets

    Initial Disclosure

    TeamPCP is reported to be exploring ways to monetize secrets harvested during supply-chain campaigns, including cloud credentials, SSH keys, Kubernetes configuration files, and other coding process secrets, while validating, encrypting, and exfiltrating those secrets to attacker-controlled domains; Wiz also said TeamPCP was explicitly collaborating with Lapsus$.

    Show sources