TeamPCP opens its offensive framework to copycat supply-chain attackers
Threat Actor Meta
Summary
Hide ▲
Show ▼
TeamPCP has started distributing its offensive framework source code, turning a single supply-chain operation into reusable tradecraft that other threat actors can adopt. The change matters because it lowers the barrier for copycat worms and other npm-focused attacks, expanding the reach of the original playbook. The source release was tied to a BreachForums-announced contest, creating a new ecosystem channel for reuse and iteration. That shift raises the odds of cloned campaigns and makes attribution harder as variants spread across open-source registries.
Related Happenings
TeamPCP supply-chain ecosystem shift and extortion partnerships
Threat Actor Meta
First: 22.05.2026 14:55
Last: 22.05.2026 14:55
Sources 1
About this happening:
**TeamPCP** has expanded its supply-chain abuse model across open-source ecosystems, raising the risk of downstream compromise and extortion at scale. The group has **corrupted hu...
TeamPCP supply-chain ecosystem shift and extortion partnerships
Threat Actor MetaAbout this happening: **TeamPCP** has expanded its supply-chain abuse model across open-source ecosystems, raising the risk of downstream compromise and extortion at scale. The group has **corrupted hu...
TeamPCP uses Shai-Hulud release to build access-broker monetization pipeline
Threat Actor Meta
First: 18.05.2026 22:53
Last: 18.05.2026 22:53
Sources 1
About this happening:
**TeamPCP** is being framed as using the **Shai-Hulud** source-code release to drive an **access broker** business, turning worm distribution into a credential-monetization pipeli...
TeamPCP uses Shai-Hulud release to build access-broker monetization pipeline
Threat Actor MetaAbout this happening: **TeamPCP** is being framed as using the **Shai-Hulud** source-code release to drive an **access broker** business, turning worm distribution into a credential-monetization pipeli...
Shai-Hulud worm clone activity on NPM
Malware Activity
First: 18.05.2026 12:45
Last: 18.05.2026 12:45
Sources 1
How related:
The application security company said the tradecraft matches Mini Shai-Hulud, where a compromised maintainer account is leveraged to push out trojanized versions in quick succession.
About this happening:
The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud worm clone activity on NPM
Malware ActivityHow related: The application security company said the tradecraft matches Mini Shai-Hulud, where a compromised maintainer account is leveraged to push out trojanized versions in quick succession.
About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
TeamPCP Mini Shai-Hulud npm supply-chain campaign
Campaign
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
How related:
The self-replicating Mini Shai-Hulud campaign is assessed to be the work of a financially motivated threat actor named TeamPCP.
About this happening:
The **TeamPCP**-linked **Mini Shai-Hulud** campaign is a **malicious npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread t...
TeamPCP Mini Shai-Hulud npm supply-chain campaign
CampaignHow related: The self-replicating Mini Shai-Hulud campaign is assessed to be the work of a financially motivated threat actor named TeamPCP.
About this happening: The **TeamPCP**-linked **Mini Shai-Hulud** campaign is a **malicious npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread t...
PCPJack TeamPCP-targeting cloud credential theft campaign
Campaign
First: 08.05.2026 12:00
Last: 08.05.2026 12:00
Sources 1
About this happening:
A new **PCPJack** campaign is targeting **TeamPCP victims** by **worming across exposed cloud infrastructure**, creating a fresh risk of credential theft and unauthorized reuse of...
PCPJack TeamPCP-targeting cloud credential theft campaign
CampaignAbout this happening: A new **PCPJack** campaign is targeting **TeamPCP victims** by **worming across exposed cloud infrastructure**, creating a fresh risk of credential theft and unauthorized reuse of...
Timeline
-
19.05.2026 07:54 2 articles · 8d ago
TeamPCP releases offensive framework source code for copycat supply-chain use
Initial DisclosureTeamPCP released the entire source code for its supply-chain attack framework as part of a BreachForums-announced contest, lowering the barrier for other threat actors to reuse Mini Shai-Hulud tradecraft. The move enabled copycat activity against open-source ecosystems and made attribution harder as cloned npm malware variants began to appear.
Show sources
- Mini Shai-Hulud Pushes Malicious AntV npm Packages via Compromised Maintainer Account — thehackernews.com — 19.05.2026 07:54
- Mini Shai-Hulud Pushes Malicious AntV npm Packages via Compromised Maintainer Account — thehackernews.com — 19.05.2026 07:54