TeamPCP supply-chain credential-exploitation campaign
Campaign
Summary
Hide ▲
Show ▼
The TeamPCP campaign now includes a confirmed GitHub compromise tied to a poisoned Nx Console VS Code extension. GitHub said the breach of its internal repositories came from an employee device compromise, and the attack is attributed to TeamPCP, which reportedly exfiltrated about 3,800 repositories. The trojanized extension was published on Visual Studio Marketplace for 18 minutes on May 18, 2026 and was used to deploy a credential stealer targeting 1Password, Anthropic Claude Code, npm, GitHub, and AWS. This adds another supply-chain path to the campaign's existing pattern of abusing trusted developer tooling to steal reusable secrets.
Related Happenings
Single organization's private GitHub repository cloned after confirmed access
Data Leak
H score12
First: 09.07.2026 21:38
Last: 09.07.2026 21:38
Sources 1
About this happening:
**Confirmed access** to a **private GitHub repository** belonging to **one organization** marks a concrete **data exposure** and raises the risk of source-code or internal-content...
Single organization's private GitHub repository cloned after confirmed access
Data LeakAbout this happening: **Confirmed access** to a **private GitHub repository** belonging to **one organization** marks a concrete **data exposure** and raises the risk of source-code or internal-content...
Malicious npm and PyPI payment SDK typosquat packages
Malware Activity
H score40
First: 09.07.2026 18:09
Last: 09.07.2026 18:09
Sources 1
About this happening:
The **17 malicious npm and PyPI packages** targeted **Paysafe, Skrill, and Neteller SDKs** to steal **system information** and **developer secrets**, then send the data to an **Ng...
Malicious npm and PyPI payment SDK typosquat packages
Malware ActivityAbout this happening: The **17 malicious npm and PyPI packages** targeted **Paysafe, Skrill, and Neteller SDKs** to steal **system information** and **developer secrets**, then send the data to an **Ng...
Malicious npm and PyPI Paysafe, Skrill, and Neteller SDK packages delivering stealer malware
Malware Activity
H score37
First: 08.07.2026 22:54
Last: 08.07.2026 22:54
Sources 1
About this happening:
Malicious **npm** and **PyPI** packages impersonating **Paysafe**, **Skrill**, and **Neteller** SDKs delivered **stealer malware** that siphoned secrets from developer environment...
Malicious npm and PyPI Paysafe, Skrill, and Neteller SDK packages delivering stealer malware
Malware ActivityAbout this happening: Malicious **npm** and **PyPI** packages impersonating **Paysafe**, **Skrill**, and **Neteller** SDKs delivered **stealer malware** that siphoned secrets from developer environment...
North Korean Contagious Interview PolinRider supply-chain campaign
Campaign
H score51
First: 04.07.2026 14:17
Last: 04.07.2026 14:17
Sources 1
About this happening:
The **Contagious Interview / PolinRider** campaign is still active, with **108 unique packages and browser extensions** published across **npm, Packagist, Go, and Google Chrome**....
North Korean Contagious Interview PolinRider supply-chain campaign
CampaignAbout this happening: The **Contagious Interview / PolinRider** campaign is still active, with **108 unique packages and browser extensions** published across **npm, Packagist, Go, and Google Chrome**....
Vect and TeamPCP industrialize ransomware through a supply-chain credential-theft alliance
Threat Actor Meta
H score67
First: 03.07.2026 14:30
Last: 03.07.2026 14:30
Sources 1
About this happening:
**Vect** and **TeamPCP** formed a new **ransomware-as-a-service** partnership that combines **supply-chain credential theft** with extortion, expanding the risk of follow-on attac...
Vect and TeamPCP industrialize ransomware through a supply-chain credential-theft alliance
Threat Actor MetaAbout this happening: **Vect** and **TeamPCP** formed a new **ransomware-as-a-service** partnership that combines **supply-chain credential theft** with extortion, expanding the risk of follow-on attac...
Timeline
-
12.05.2026 01:03 2 articles · 1mo ago
TeamPCP compromises Checkmarx Jenkins AST plugin
Campaign Scope UpdateTeamPCP compromised the Checkmarx Jenkins AST plugin by publishing a rogue version to repo.jenkins-ci.org on May 9, 2026, outside the official release pipeline. The malicious upload was tied to access to Checkmarx GitHub repositories and was used to deliver credential-stealing malware and malicious code to the affected organization.
Show sources
- Official CheckMarx Jenkins package compromised with infostealer — www.bleepingcomputer.com — 12.05.2026 01:03
- GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension — thehackernews.com — 21.05.2026 07:27
-
30.03.2026 03:00 1 articles · 3mo ago
Wiz reports TeamPCP monetizing stolen supply-chain secrets
Initial DisclosureTeamPCP is reported to be exploring ways to monetize secrets harvested during supply-chain campaigns, including cloud credentials, SSH keys, Kubernetes configuration files, and other coding process secrets, while validating, encrypting, and exfiltrating those secrets to attacker-controlled domains; Wiz also said TeamPCP was explicitly collaborating with Lapsus$.
Show sources
- TeamPCP Explores Ways to Exploit Stolen Supply Chain Secrets — www.infosecurity-magazine.com — 31.03.2026 15:15