Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

TeamPCP supply-chain credential-exploitation campaign

Campaign
First reported
Last updated
Happening score
H score 50
3 unique sources, 3 articles

Summary

Hide ▲

The TeamPCP campaign now includes a confirmed GitHub compromise tied to a poisoned Nx Console VS Code extension. GitHub said the breach of its internal repositories came from an employee device compromise, and the attack is attributed to TeamPCP, which reportedly exfiltrated about 3,800 repositories. The trojanized extension was published on Visual Studio Marketplace for 18 minutes on May 18, 2026 and was used to deploy a credential stealer targeting 1Password, Anthropic Claude Code, npm, GitHub, and AWS. This adds another supply-chain path to the campaign's existing pattern of abusing trusted developer tooling to steal reusable secrets.

Related Happenings

GlassWorm supply-chain malware activity

Malware Activity
First: 27.05.2026 14:48 Last: 27.05.2026 14:48 Sources 1

About this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...

Open Happening

TrapDoor cross-ecosystem supply-chain campaign

Campaign
First: 25.05.2026 08:59 Last: 25.05.2026 08:59 Sources 1

About this happening: The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...

Open Happening

Laravel Lang organization hit by network compromise

Incident
First: 23.05.2026 23:48 Last: 23.05.2026 23:48 Sources 1

About this happening: The **Laravel Lang organization** suffered a **repository compromise** that let attackers rewrite **GitHub tags** and ship malicious code through **Composer** installs. The affect...

Open Happening

Megalodon GitHub CI/CD supply-chain campaign

Campaign
First: 22.05.2026 14:55 Last: 22.05.2026 14:55 Sources 1

About this happening: The **Megalodon** campaign pushed **5,718 malicious commits** into **5,561 GitHub repositories** in about **six hours**, creating a broad **CI/CD secret-theft** risk across develo...

Open Happening

TeamPCP supply-chain ecosystem shift and extortion partnerships

Threat Actor Meta
First: 22.05.2026 14:55 Last: 22.05.2026 14:55 Sources 1

About this happening: **TeamPCP** has expanded its supply-chain abuse model across open-source ecosystems, raising the risk of downstream compromise and extortion at scale. The group has **corrupted hu...

Open Happening

Timeline

  1. 12.05.2026 01:03 2 articles · 15d ago

    TeamPCP compromises Checkmarx Jenkins AST plugin

    Campaign Scope Update

    TeamPCP compromised the Checkmarx Jenkins AST plugin by publishing a rogue version to repo.jenkins-ci.org on May 9, 2026, outside the official release pipeline. The malicious upload was tied to access to Checkmarx GitHub repositories and was used to deliver credential-stealing malware and malicious code to the affected organization.

    Show sources
    Open in new tab
  2. 30.03.2026 03:00 1 articles · 1mo ago

    Wiz reports TeamPCP monetizing stolen supply-chain secrets

    Initial Disclosure

    TeamPCP is reported to be exploring ways to monetize secrets harvested during supply-chain campaigns, including cloud credentials, SSH keys, Kubernetes configuration files, and other coding process secrets, while validating, encrypting, and exfiltrating those secrets to attacker-controlled domains; Wiz also said TeamPCP was explicitly collaborating with Lapsus$.

    Show sources
    Open in new tab