Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

TeamPCP Mini Shai-Hulud npm supply-chain campaign

Campaign
First reported
Last updated
Happening score
H score 48
3 unique sources, 4 articles

Summary

Hide ▲

The TeamPCP-linked Mini Shai-Hulud campaign is a malicious npm supply-chain operation that steals developer credentials and abuses trusted publishing paths to spread trojanized packages. A recent wave hit the TanStack ecosystem, including 373 malicious package-version entries across 169 npm package names and 84 compromised TanStack npm package artifacts, and the malware used GitHub Actions/OIDC plus maintainers’ publishing credentials to push altered releases. The activity remains active and matters because stolen tokens and pipeline access can enable self-propagation and downstream compromise across developer ecosystems.

Related Happenings

GlassWorm supply-chain malware activity

Malware Activity
First: 27.05.2026 14:48 Last: 27.05.2026 14:48 Sources 1

About this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...

Open Happening

TrapDoor cross-ecosystem supply-chain campaign

Campaign
First: 25.05.2026 08:59 Last: 25.05.2026 08:59 Sources 1

About this happening: The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...

Open Happening

Megalodon GitHub CI/CD supply-chain campaign

Campaign
First: 22.05.2026 14:55 Last: 22.05.2026 14:55 Sources 1

About this happening: The **Megalodon** campaign pushed **5,718 malicious commits** into **5,561 GitHub repositories** in about **six hours**, creating a broad **CI/CD secret-theft** risk across develo...

Open Happening

TeamPCP supply-chain ecosystem shift and extortion partnerships

Threat Actor Meta
First: 22.05.2026 14:55 Last: 22.05.2026 14:55 Sources 1

About this happening: **TeamPCP** has expanded its supply-chain abuse model across open-source ecosystems, raising the risk of downstream compromise and extortion at scale. The group has **corrupted hu...

Open Happening

GitHub data exposed after GitHub breach

Data Leak
First: 20.05.2026 11:14 Last: 20.05.2026 11:14 Sources 1

How related: the TeamPCP cybercrime gang claimed access to GitHub source code and "~4,000 repos of private code" on the Breached forum on Tuesday, and is now asking for at least $50,000 for the stolen data.

About this happening: GitHub confirmed **exfiltration** of **internal repositories**, making private code and related content potentially available to outsiders. Attackers on the **Breached cybercrime...

Open Happening

Timeline

  1. 12.05.2026 14:07 2 articles · 15d ago

    Mini Shai-Hulud fresh wave compromises TanStack npm packages

    Initial Disclosure

    Researchers disclosed a fresh wave of TeamPCP-linked Mini Shai-Hulud infections across compromised npm packages in the TanStack developer ecosystem, including 373 malicious package-version entries across 169 npm package names and 84 compromised TanStack npm package artifacts. The malware steals credentials from developer machines and CI/CD runners, then abuses trusted publishing paths, GitHub Actions/OIDC, and maintainers’ publishing credentials to push trojanized package updates.

    Show sources
    Open in new tab
  2. 26.11.2025 20:08 2 articles · 6mo ago

    Shai-Hulud v2 expands from npm into Maven packages

    Campaign Scope Update

    Shai-Hulud v2 expanded from npm into Maven through org.mvnpm:posthog-node:4.18.1, which contained setup_bun.js and bun_environment.js. The campaign also abused GitHub Actions CI misconfigurations in projects associated with PostHog, AsyncAPI, and Postman, and the broader operation was linked to more than 28,000 affected repositories and widespread secret theft.

    Show sources
    Open in new tab