TeamPCP supply-chain ecosystem shift and extortion partnerships
Threat Actor Meta
Summary
Hide ▲
Show ▼
TeamPCP has expanded its supply-chain abuse model across open-source ecosystems, raising the risk of downstream compromise and extortion at scale. The group has corrupted hundreds of open-source tools and linked its activity to BreachForums, LAPSUS$, and VECT. The shift matters because one upstream compromise can now cascade through multiple developer ecosystems.
Related Happenings
Miasma self-replicating supply chain attack campaign targeting open-source repositories
Campaign
H score83
First: 06.06.2026 09:58
Last: 06.06.2026 09:58
Sources 1
About this happening:
The **Miasma** self-replicating supply-chain campaign has reached **73 Microsoft repositories** across **Azure**, **Azure-Samples**, **Microsoft**, and **MicrosoftDocs** on **GitH...
Miasma self-replicating supply chain attack campaign targeting open-source repositories
CampaignAbout this happening: The **Miasma** self-replicating supply-chain campaign has reached **73 Microsoft repositories** across **Azure**, **Azure-Samples**, **Microsoft**, and **MicrosoftDocs** on **GitH...
Megalodon GitHub CI/CD supply-chain campaign
Campaign
H score50
First: 22.05.2026 14:55
Last: 22.05.2026 14:55
Sources 1
How related:
Cybersecurity researchers have disclosed details of a new automated campaign called Megalodon that has pushed 5,718 malicious commits to 5,561 GitHub repositories within a six-hour window.
About this happening:
The **Megalodon** campaign pushed **5,718 malicious commits** into **5,561 GitHub repositories** in about **six hours**, creating a broad **CI/CD secret-theft** risk across develo...
Megalodon GitHub CI/CD supply-chain campaign
CampaignHow related: Cybersecurity researchers have disclosed details of a new automated campaign called Megalodon that has pushed 5,718 malicious commits to 5,561 GitHub repositories within a six-hour window.
About this happening: The **Megalodon** campaign pushed **5,718 malicious commits** into **5,561 GitHub repositories** in about **six hours**, creating a broad **CI/CD secret-theft** risk across develo...
TeamPCP opens its offensive framework to copycat supply-chain attackers
Threat Actor Meta
H score60
First: 19.05.2026 07:54
Last: 19.05.2026 07:54
Sources 1
About this happening:
**TeamPCP** has started distributing its **offensive framework source code**, turning a single supply-chain operation into reusable tradecraft that other threat actors can adopt....
TeamPCP opens its offensive framework to copycat supply-chain attackers
Threat Actor MetaAbout this happening: **TeamPCP** has started distributing its **offensive framework source code**, turning a single supply-chain operation into reusable tradecraft that other threat actors can adopt....
TeamPCP uses Shai-Hulud release to build access-broker monetization pipeline
Threat Actor Meta
H score16
First: 18.05.2026 22:53
Last: 18.05.2026 22:53
Sources 1
About this happening:
**TeamPCP** is being framed as using the **Shai-Hulud** source-code release to drive an **access broker** business, turning worm distribution into a credential-monetization pipeli...
TeamPCP uses Shai-Hulud release to build access-broker monetization pipeline
Threat Actor MetaAbout this happening: **TeamPCP** is being framed as using the **Shai-Hulud** source-code release to drive an **access broker** business, turning worm distribution into a credential-monetization pipeli...
TeamPCP Mini Shai-Hulud npm supply-chain campaign
Campaign
H score75
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **TeamPCP**-linked **Mini Shai-Hulud** campaign is an active **npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread tro...
TeamPCP Mini Shai-Hulud npm supply-chain campaign
CampaignAbout this happening: The **TeamPCP**-linked **Mini Shai-Hulud** campaign is an active **npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread tro...
Timeline
-
22.05.2026 14:55 2 articles · 1mo ago
TeamPCP expands supply-chain abuse across open-source ecosystems
Campaign Scope UpdateTeamPCP has weaponized the interlinked software supply chain to corrupt hundreds of open-source tools across several ecosystems, with activity associated with BreachForums, LAPSUS$, and VECT and with extortion for profit in some cases. The group’s reported behavior also includes worm-like propagation through popular open-source projects, raising the downstream risk for repository owners, maintainers, and developers.
Show sources
- Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows — thehackernews.com — 22.05.2026 14:55
- Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows — thehackernews.com — 22.05.2026 14:55