Find notable cyber news and cases, enriched with sources, timelines, and signals.

TeamPCP uses Shai-Hulud release to build access-broker monetization pipeline

Threat Actor Meta
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

TeamPCP is being framed as using the Shai-Hulud source-code release to drive an access broker business, turning worm distribution into a credential-monetization pipeline. The shift matters because it points to an actor-ecosystem change aimed at reusing stolen access and scaling profit, not just shipping a one-off malware drop. It also increases the chance that copycats and downstream operators will amplify the same supply-chain abuse model.

Related Happenings

Miasma self-replicating supply chain attack campaign targeting open-source repositories

Campaign
H score83 First: 06.06.2026 09:58 Last: 06.06.2026 09:58 Sources 1

About this happening: The **Miasma** self-replicating supply-chain campaign has reached **73 Microsoft repositories** across **Azure**, **Azure-Samples**, **Microsoft**, and **MicrosoftDocs** on **GitH...

TeamPCP supply-chain ecosystem shift and extortion partnerships

Threat Actor Meta
H score15 First: 22.05.2026 14:55 Last: 22.05.2026 14:55 Sources 1

About this happening: **TeamPCP** has expanded its supply-chain abuse model across open-source ecosystems, raising the risk of downstream compromise and extortion at scale. The group has **corrupted hu...

TeamPCP opens its offensive framework to copycat supply-chain attackers

Threat Actor Meta
H score60 First: 19.05.2026 07:54 Last: 19.05.2026 07:54 Sources 1

About this happening: **TeamPCP** has started distributing its **offensive framework source code**, turning a single supply-chain operation into reusable tradecraft that other threat actors can adopt....

Shai-Hulud worm clone activity on NPM

Malware Activity
H score69 First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

How related: TeamPCP published Shai-Hulud source code to GitHub last week, and the infamous worm already shows signs of spreading.

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials

Campaign
H score56 First: 12.05.2026 14:29 Last: 12.05.2026 14:29 Sources 1

How related: TeamPCP published Shai-Hulud source code to GitHub last week, and the infamous worm already shows signs of spreading.

About this happening: The **Shai-Hulud** **supply-chain campaign** now includes a fresh **PyPI** wave that compromised **19 packages** across **37 malicious releases**, with popular bioinformatics tool...

Timeline

  1. 18.05.2026 22:53 2 articles · 1mo ago

    TeamPCP frames Shai-Hulud release as access-broker monetization

    Attribution Update

    TeamPCP published Shai-Hulud source code to GitHub last week, prompting follow-on forks and clone worms in the NPM ecosystem. Security researchers described the release as a marketing campaign for an access broker business, with copycat operators standing up their own C2 infrastructure while feeding stolen credentials into TeamPCP's monetization pipeline.

    Show sources