TeamPCP supply-chain ecosystem shift and extortion partnerships
Threat Actor Meta
Summary
Hide ▲
Show ▼
TeamPCP has expanded its supply-chain abuse model across open-source ecosystems, raising the risk of downstream compromise and extortion at scale. The group has corrupted hundreds of open-source tools and linked its activity to BreachForums, LAPSUS$, and VECT. The shift matters because one upstream compromise can now cascade through multiple developer ecosystems.
Related Happenings
Megalodon GitHub CI/CD supply-chain campaign
Campaign
First: 22.05.2026 14:55
Last: 22.05.2026 14:55
Sources 1
How related:
Cybersecurity researchers have disclosed details of a new automated campaign called Megalodon that has pushed 5,718 malicious commits to 5,561 GitHub repositories within a six-hour window.
About this happening:
The **Megalodon** campaign pushed **5,718 malicious commits** into **5,561 GitHub repositories** in about **six hours**, creating a broad **CI/CD secret-theft** risk across develo...
Megalodon GitHub CI/CD supply-chain campaign
CampaignHow related: Cybersecurity researchers have disclosed details of a new automated campaign called Megalodon that has pushed 5,718 malicious commits to 5,561 GitHub repositories within a six-hour window.
About this happening: The **Megalodon** campaign pushed **5,718 malicious commits** into **5,561 GitHub repositories** in about **six hours**, creating a broad **CI/CD secret-theft** risk across develo...
TeamPCP opens its offensive framework to copycat supply-chain attackers
Threat Actor Meta
First: 19.05.2026 07:54
Last: 19.05.2026 07:54
Sources 1
About this happening:
**TeamPCP** has started distributing its **offensive framework source code**, turning a single supply-chain operation into reusable tradecraft that other threat actors can adopt....
TeamPCP opens its offensive framework to copycat supply-chain attackers
Threat Actor MetaAbout this happening: **TeamPCP** has started distributing its **offensive framework source code**, turning a single supply-chain operation into reusable tradecraft that other threat actors can adopt....
TeamPCP uses Shai-Hulud release to build access-broker monetization pipeline
Threat Actor Meta
First: 18.05.2026 22:53
Last: 18.05.2026 22:53
Sources 1
About this happening:
**TeamPCP** is being framed as using the **Shai-Hulud** source-code release to drive an **access broker** business, turning worm distribution into a credential-monetization pipeli...
TeamPCP uses Shai-Hulud release to build access-broker monetization pipeline
Threat Actor MetaAbout this happening: **TeamPCP** is being framed as using the **Shai-Hulud** source-code release to drive an **access broker** business, turning worm distribution into a credential-monetization pipeli...
TeamPCP Mini Shai-Hulud npm supply-chain campaign
Campaign
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **TeamPCP**-linked **Mini Shai-Hulud** campaign is a **malicious npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread t...
TeamPCP Mini Shai-Hulud npm supply-chain campaign
CampaignAbout this happening: The **TeamPCP**-linked **Mini Shai-Hulud** campaign is a **malicious npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread t...
Shifty Corsair evolves open-source supply-chain tradecraft with fake firms, layered packages, and AI-assisted deception
Threat Actor Meta
First: 29.04.2026 17:43
Last: 29.04.2026 17:43
Sources 1
About this happening:
**Shifty Corsair** has expanded its operating model into a more convincing developer-lure ecosystem, increasing the risk of open-source supply-chain compromise against **Web3** ta...
Shifty Corsair evolves open-source supply-chain tradecraft with fake firms, layered packages, and AI-assisted deception
Threat Actor MetaAbout this happening: **Shifty Corsair** has expanded its operating model into a more convincing developer-lure ecosystem, increasing the risk of open-source supply-chain compromise against **Web3** ta...
Timeline
-
22.05.2026 14:55 2 articles · 5d ago
TeamPCP expands supply-chain abuse across open-source ecosystems
Campaign Scope UpdateTeamPCP has weaponized the interlinked software supply chain to corrupt hundreds of open-source tools across several ecosystems, with activity associated with BreachForums, LAPSUS$, and VECT and with extortion for profit in some cases. The group’s reported behavior also includes worm-like propagation through popular open-source projects, raising the downstream risk for repository owners, maintainers, and developers.
Show sources
- Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows — thehackernews.com — 22.05.2026 14:55
- Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows — thehackernews.com — 22.05.2026 14:55