TeamPCP: The Supply Chain Attackers Who Won't Stop

#One group. Seven waves. The entire developer ecosystem.

Since March 2026, a financially motivated threat actor tracked as TeamPCP (Google tracks them as UNC6780) has been running the most aggressive supply chain campaign the open-source ecosystem has ever seen. They call the operation Mini Shai-Hulud, after the sandworms in Dune. And like a sandworm, once it starts moving, it doesn't stop.

The campaign is simple in concept and terrifying in execution: compromise one developer's credentials, use those credentials to publish malicious versions of their packages, harvest more credentials from everyone who installs those packages, and repeat. Each compromised package becomes the launchpad for the next wave. It's a worm. It feeds itself.

Here's the full timeline.

#Wave 1: SAP Ecosystem (March 2026)

TeamPCP compromised maintainer accounts for SAP-ecosystem npm packages. The malicious versions added a preinstall hook that downloaded the Bun JavaScript runtime from GitHub Releases (a clever choice because Bun isn't on most security tool allowlists) and used it to run an obfuscated credential stealer.

The stealer harvested npm tokens, GitHub personal access tokens, AWS credentials, and anything else it could find on the developer's machine. Those stolen credentials became the ammunition for every subsequent wave.

#Wave 2: TanStack + 170 Packages (May 11, 2026)

Using credentials stolen in earlier waves, TeamPCP executed a sophisticated attack against TanStack, whose React Router alone has 12 million weekly downloads.

They chained three GitHub Actions weaknesses:

1. A pull_request_target workflow that executed attacker code in the trusted context
2. Cross-fork cache poisoning that planted malicious binaries
3. Runtime extraction of short-lived OIDC tokens from the GitHub Actions runner

The result: 42 packages, 84 malicious versions, published by TanStack's legitimate release pipeline with valid SLSA Build Level 3 provenance attestations. The provenance said "this was built by TanStack's real CI/CD." And it was. The CI/CD itself was compromised.

This is CVE-2026-45321, CVSS 9.6.

#Wave 3: VS Code Extension - Nx Console (May 18, 2026)

TeamPCP compromised an Nx developer's account and used it to publish a trojanized version of the Nx Console VS Code extension. 2.2 million installs. Live on the Visual Studio Marketplace for 18 minutes.

The payload was the most comprehensive credential stealer we've seen. It harvested from:

One of the victims was a GitHub employee. Their stolen credentials gave TeamPCP access to approximately 3,800 internal GitHub repositories, including CI/CD workflow definitions, internal security tooling, and infrastructure code.

GitHub. Breached through a VS Code extension. The irony of the company that hosts the world's code getting compromised through developer tooling is not lost on anyone.

#Wave 4: Checkmarx Jenkins Plugin

Using credentials harvested in prior waves, TeamPCP published a rogue version of the Checkmarx AST Jenkins plugin (CVE-2026-33634). A security scanner's CI plugin. Carrying an infostealer.

The tool that's supposed to find vulnerabilities in your code was itself the vulnerability. The security scanner attacked you. This is supply chain inception.

#Wave 5: PyTorch Lightning (PyPI)

An attacker with valid PyPI publisher credentials pushed tampered builds of PyTorch Lightning, a popular deep learning framework. The malicious builds contained a hidden _runtime directory with an obfuscated payload that executed on import lightning.

Machine learning engineers importing a framework they use every day got owned on import.

#Wave 6: CanisterWorm - Self-Propagating with Blockchain C2

This is where it gets really creative. TeamPCP deployed a self-propagating worm that:

1. Installs via npm postinstall hook
2. Harvests npm and PyPI registry tokens from the victim
3. Uses those tokens to republish infected versions of every package the victim maintains
4. If it finds PyPI tokens, it publishes infected Python packages too
5. Cross-ecosystem propagation: npm to PyPI and back

The C2 (command and control) infrastructure runs on Internet Computer Protocol (ICP) blockchain "canisters." This is significant because blockchain-based C2 is resistant to domain seizure and DNS sinkholing, the standard takedown methods. You can't call a registrar and take down a blockchain address.

#Wave 7: Ongoing

TeamPCP is still active. They're still compromising packages. They're still using stolen credentials from previous waves. The supply chain is still feeding itself.

#Why this matters for your business.

You might be thinking "I'm not a developer, this doesn't affect me." It does.

Your website was built with npm packages. Your WordPress plugins, your React frontend, your Node.js backend. All of them depend on packages from the npm registry. If any of those dependencies were compromised, the malicious code runs on your server or in your customers' browsers.

Your SaaS tools were built with these packages. The CRM you use, the project management tool, the accounting software. Their developers install packages from npm and PyPI. If a developer at your SaaS vendor installed a compromised package, their build pipeline could be poisoned, and the malicious code ships in the next update you receive.

Your IT provider uses developer tools. VS Code, Jenkins, GitHub. All targeted in this campaign. If your MSP's developer was running the trojanized Nx Console extension, their credentials are compromised, and through them, potentially your systems.

The supply chain is everyone's problem. Not just developers. Everyone.

#What to do.

1. Ask your software vendors if they were affected by the Mini Shai-Hulud campaign. Specifically TanStack, Nx Console, and Checkmarx. If they use these tools in their build pipeline, they need to confirm they weren't running compromised versions.

1. If you manage npm or Python projects, audit your lockfiles for packages published between March-May 2026 from the affected namespaces (@tanstack, @nx, checkmarx, pytorch-lightning, durabletask). Socket.dev and Snyk can help automate this.

1. Rotate all developer credentials. npm tokens, GitHub PATs, AWS keys, Docker Hub tokens, PyPI tokens. If any developer in your organization installed an npm or PyPI package in the last 3 months, assume exposure and rotate.

1. Enforce registry-level MFA for publishing. npm and PyPI both support it. If your packages can be published without MFA, a stolen token is all an attacker needs.

1. Pin dependency versions and disable auto-merge on Dependabot/Renovate. Detailed guide in our earlier article.

1. Audit your CI/CD pipeline permissions. The TanStack attack worked because GitHub Actions had overly broad permissions. Apply least privilege to every workflow.

#Further reading

• Snyk: TanStack Compromise Analysis - Wave 2 technical details
• Socket.dev: Mini Shai-Hulud Tracking - ongoing campaign analysis
• Wiz: TeamPCP Campaign Overview - multiple wave breakdown
• SC Media: CanisterWorm - self-propagating worm details
• BleepingComputer: GitHub Internal Repos Breach - Wave 3 aftermath
• Sigstore - software signing (provenance alone isn't enough, but it helps)
• OpenSSF Scorecard - evaluate open source project security health