A hacker group named TeamPCP has carried out a wave of supply chain attacks against open-source code on a scale that has surprised security researchers. According to Ars Technica, this is a financially motivated group with alleged connections to both the Vect ransomware group and the notorious Lapsus$ network.

Malware Planted in Trusted Development Tools

TeamPCP specializes in compromising tools developers rely on daily. In March 2026, the group exploited a misconfiguration in Trivy – a security tool used by over 10,000 development teams – to steal a service account credential via GitHub Actions. With stolen Personal Access Tokens (PATs), the attackers forced malicious commits into popular repositories such as checkmarx/kics-github-action and aquasecurity/trivy-action.

The result: well-known security tools were themselves turned into attack vectors.

The attackers turned security tools against their users – allowing the victim to run the malware in their own pipeline.

A Self-Spreading Worm

One of the most concerning elements in TeamPCP's arsenal is what is described as “Mini Shai-Hulud” – a self-replicating worm adapted from a variant documented in 2025. The worm automates much of the supply chain attack by stealing CI/CD credentials and using them to publish infected versions of new packages.

According to security research, the worm exploits a chain of vulnerabilities, including a “Pwn Request” via pull_request_target, cache poisoning in GitHub Actions, and the extraction of OIDC tokens from the GitHub Actions runtime environment. This makes it possible to publish malicious packages with valid SLSA provenance attestations – making the manipulation much harder to detect.

GitHub Itself Hit

The consequences reached a new level on May 20, 2026, when GitHub confirmed a supply chain breach directly attributed to TeamPCP. The attack reportedly compromised approximately 3,800 internal repositories – starting with a GitHub employee falling victim to a previously compromised package.

GitHub is among the most central platforms in global software development, and an internal breach of this magnitude underscores the seriousness of the group's capabilities.

3,800
Compromised GitHub Repositories
36%
Cloud Environments Affected via LiteLLM

AI Tools and SDKs in the Crosshairs

TeamPCP has particularly targeted AI infrastructure. BerriAI's LiteLLM – a Python library for integration with large language model providers – was compromised in versions v1.82.7 and v1.82.8. According to research material, this is estimated to have affected 36 percent of cloud environments using the library.

Telnyx Python SDK, TanStack packages (84 malicious versions spread across 42 npm packages), MistralAI, and elementary-data were also reportedly targeted.

TeamPCP has turned open source into a minefield – and no popular package is automatically safe.

What Makes This Especially Dangerous?

What distinguishes TeamPCP's campaign from previous supply chain attacks is the combination of speed, precision, and subsequent behavior, according to security researchers cited by Ars Technica. The group doesn't just steal credentials – they establish persistent access, harvesting GitHub tokens, SSH keys, cloud credentials, and browser-stored secrets.

Additionally, many of the attack vectors are tailored to avoid detection: .pth files in Python run automatically on startup without requiring explicit import, and SLSA-signed malicious packages bypass integrity checks that many organizations rely on.

For developers and organizations using open source – which is practically everyone involved in software development – the message is clear: your dependency lists may contain threats that are very difficult to detect with conventional methods.