TeamPCP uses Shai-Hulud release to build access-broker monetization pipeline
Threat Actor Meta
Summary
Hide ▲
Show ▼
TeamPCP is being framed as using the Shai-Hulud source-code release to drive an access broker business, turning worm distribution into a credential-monetization pipeline. The shift matters because it points to an actor-ecosystem change aimed at reusing stolen access and scaling profit, not just shipping a one-off malware drop. It also increases the chance that copycats and downstream operators will amplify the same supply-chain abuse model.
Related Happenings
TeamPCP supply-chain ecosystem shift and extortion partnerships
Threat Actor Meta
First: 22.05.2026 14:55
Last: 22.05.2026 14:55
Sources 1
About this happening:
**TeamPCP** has expanded its supply-chain abuse model across open-source ecosystems, raising the risk of downstream compromise and extortion at scale. The group has **corrupted hu...
TeamPCP supply-chain ecosystem shift and extortion partnerships
Threat Actor MetaAbout this happening: **TeamPCP** has expanded its supply-chain abuse model across open-source ecosystems, raising the risk of downstream compromise and extortion at scale. The group has **corrupted hu...
TeamPCP opens its offensive framework to copycat supply-chain attackers
Threat Actor Meta
First: 19.05.2026 07:54
Last: 19.05.2026 07:54
Sources 1
About this happening:
**TeamPCP** has started distributing its **offensive framework source code**, turning a single supply-chain operation into reusable tradecraft that other threat actors can adopt....
TeamPCP opens its offensive framework to copycat supply-chain attackers
Threat Actor MetaAbout this happening: **TeamPCP** has started distributing its **offensive framework source code**, turning a single supply-chain operation into reusable tradecraft that other threat actors can adopt....
Shai-Hulud worm clone activity on NPM
Malware Activity
First: 18.05.2026 12:45
Last: 18.05.2026 12:45
Sources 1
How related:
TeamPCP published Shai-Hulud source code to GitHub last week, and the infamous worm already shows signs of spreading.
About this happening:
The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud worm clone activity on NPM
Malware ActivityHow related: TeamPCP published Shai-Hulud source code to GitHub last week, and the infamous worm already shows signs of spreading.
About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
Campaign
First: 12.05.2026 14:29
Last: 12.05.2026 14:29
Sources 1
How related:
TeamPCP published Shai-Hulud source code to GitHub last week, and the infamous worm already shows signs of spreading.
About this happening:
The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
CampaignHow related: TeamPCP published Shai-Hulud source code to GitHub last week, and the infamous worm already shows signs of spreading.
About this happening: The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...
TeamPCP Mini Shai-Hulud npm supply-chain campaign
Campaign
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **TeamPCP**-linked **Mini Shai-Hulud** campaign is a **malicious npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread t...
TeamPCP Mini Shai-Hulud npm supply-chain campaign
CampaignAbout this happening: The **TeamPCP**-linked **Mini Shai-Hulud** campaign is a **malicious npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread t...
Timeline
-
18.05.2026 22:53 2 articles · 9d ago
TeamPCP frames Shai-Hulud release as access-broker monetization
Attribution UpdateTeamPCP published Shai-Hulud source code to GitHub last week, prompting follow-on forks and clone worms in the NPM ecosystem. Security researchers described the release as a marketing campaign for an access broker business, with copycat operators standing up their own C2 infrastructure while feeding stolen credentials into TeamPCP's monetization pipeline.
Show sources
- Shai-Hulud Worm Clones Spread After Code Release — www.darkreading.com — 18.05.2026 22:53
- Shai-Hulud Worm Clones Spread After Code Release — www.darkreading.com — 18.05.2026 22:53