In under four months, a single group — likely operating as a loose-knit crew of teenagers — injected malicious code into more than 1,000 open-source packages, compromised 1,000+ cloud environments, stole 500,000 credentials, and breached GitHub itself. The open-source ecosystem's foundational promise — that anyone can trust the code they pull — may never be the same.

The breach of GitHub was not a sophisticated zero-day exploit. It was not a nation-state operation with unlimited resources. It was a poisoned VSCode extension installed by a GitHub developer — a single, trusted plug-in that opened the door to one of the most consequential supply chain attacks in history.

Within hours, the hackers behind the breach — a group calling themselves TeamPCP — claimed to have accessed around 4,000 of GitHub's code repositories. GitHub later confirmed it had found at least 3,800 compromised repositories. "We are here today to advertise GitHub's source code and internal orgs for sale," TeamPCP wrote on BreachForums. "Everything for the main platform is there".

GitHub was not the first victim. It was merely the most prominent. Over the preceding four months, TeamPCP had quietly executed the most destructive open-source supply chain campaign ever documented — poisoning more than 1,000 packages, compromising security tools trusted by hundreds of thousands of organizations, and siphoning roughly 500,000 credentials and 300+ gigabytes of data from over 1,000 SaaS environments.

A single group — likely operating as "a loose-knit group of teenagers and young adults who couldn't find paying work," according to a spokesperson using the handle T00001B — had broken the foundational trust model of open-source software. And the industry is still scrambling to rebuild.

The Scale: 1,000 Packages, 20 Waves, Zero End in Sight

The numbers are staggering. According to cybersecurity firm Socket, TeamPCP has carried out 20 "waves" of supply chain attacks that have hidden malware in more than 500 distinct pieces of software — or well over a thousand counting all the various versions of code hijacked. Between September 2025 and May 2026, the group conducted a series of coordinated supply chain attacks across the npm and PyPI package ecosystems.

The group's self-propagating worm, dubbed Shai-Hulud — a reference to the sandworms in Frank Herbert's Dune novels — evolved through four generations. The current iteration, Mini Shai-Hulud, active since late April 2026, reached peak scale in a May 11 wave that compromised 373 malicious package-version entries across 169 npm packages and two PyPI packages with a cumulative download base exceeding 518 million.

The victims read like a who's-who of the technology industry: Bitwarden, Red Hat, SAP, PyTorch Lightning, GitHub itself, OpenAI, Mistral AI, UiPath, TanStack, and even the European Commission. On May 11, at 19:20 UTC, the first malicious @tanstack packages appeared in the npm registry. Within six minutes, 84 malicious versions across 42 packages had been published.

"It may be their biggest one," Ben Read, who leads strategic threat intelligence at cloud security firm Wiz, said of the GitHub breach. "But each one of these is a big deal for the company that it happens to. It's not qualitatively different from the 14 breaches that happened last week".

How It Worked: The Cycle of Exploitation

TeamPCP's core tactic was deceptively simple — and devastatingly effective.

The hackers gain access to a network where an open source tool commonly used by coders is being developed — for example, the VSCode extension that led to the GitHub breach or the data visualization software AntV that TeamPCP hijacked. They plant malware in the tool that ends up on other software developers' machines. The malware steals credentials that let them publish malicious versions of those software development tools. The cycle repeats.

The method is not clever, and that is the point. Most companies pull in code automatically and rarely check that it is safe. TeamPCP simply abuses that blind faith. Together, the poisoned packages rack up roughly 500 million downloads a week.

The technical sophistication, however, was anything but amateur. The Mini Shai-Hulud campaign achieved a critical security first: it compromised packages with valid SLSA Build Level 3 provenance attestations — the highest standard of supply chain security. By extracting GitHub Actions OIDC tokens from runner process memory and using them to obtain legitimate Sigstore signing certificates, the attackers made malicious package versions appear cryptographically verified to automated security tooling. "Has provenance" no longer meant "not malicious".

The worm also became the first documented supply chain attack to weaponize AI coding agent configuration files as a persistence mechanism, writing malicious hooks into Claude Code's settings and VS Code's tasks that survive package removal and reactivate every time a developer opens a project.

The malware contained a dead-man's switch that would wipe the victim's home directory if stolen tokens were revoked. The payload displayed a chilling threat: "IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner" before executing rm -rf ~/. Remediation order became safety-critical: the malware's persistence service triggers home directory destruction if credentials are rotated before the service is disabled.

image.png

The Victims: A Who's-Who of the Tech Industry

TeamPCP's reach was breathtaking. Over 1,000 SaaS environments were impacted. Among the named victims:

  • GitHub: 3,800+ compromised repositories, with TeamPCP claiming access to 4,000

  • OpenAI: Confirmed it had ingested a compromised dependency but contained the blast radius with no user data loss

  • Mistral AI: npm and PyPI packages compromised

  • TanStack: 42 packages, 84 malicious versions published in six minutes

  • Aqua Security's Trivy: A vulnerability scanner used in CI/CD pipelines worldwide became a vector

  • Checkmarx KICS: GitHub Actions compromised

  • LiteLLM: An AI gateway library present in approximately 36% of monitored cloud environments

  • European Commission: AWS environment breached

  • Red Hat, SAP, Bitwarden, PyTorch Lightning

Mandiant Consulting CTO Charles Carmakal reported over 1,000 compromised cloud environments, with estimates that the number could reach 10,000.

image.png

The Motivation: Chaos, Notoriety, and $95,000

Yet the group does not seem to be chasing money. Researchers say it is after chaos and notoriety, having pocketed only about $90,000 in extortion. According to a Forbes interview, a spokesperson described the group as "a loose-knit group of teenagers and young adults who couldn't find paying work".

Researchers classify TeamPCP as a cybercrime operation rather than a state-sponsored APT or ideological hacktivist collective. The group operates under five confirmed aliases: PCPcat, ShellForce, DeadCatx3, CipherForce, and Persy_PCP. They maintain an active Telegram presence, with their primary channel growing from roughly 700 subscribers in early February 2026 to over 1,180 by late March.

TeamPCP has also forged a complex web of criminal partnerships, formally announcing a partnership with the Vect Ransomware Group on BreachForums. Their malware consistently self-identifies through an embedded string, "TeamPCP Cloud stealer".

The Trust Problem: "Legitimate" Is Not the Same as "Safe"

The thread tying all of this together is trust. Attackers no longer need a clever exploit. They just need something you already believe in: a package registry, a coding agent, a familiar domain.

This attack is not an isolated incident — it is part of a clear, accelerating trend in 2026 supply chain warfare. The "Shai-Hulud" branding itself is a deliberate callback to TeamPCP's 2025 campaign, signaling attacker confidence and brand-building. Each generation of the worm directly addressed detection and takedown techniques applied to its predecessor, suggesting the operators monitored defensive responses and adapted accordingly.

"As one industry bulletin put it, 'legitimate' is not the same as 'safe'," The Next Web reported. "For the industry, that is an uncomfortable reset. It means watching the tools people trust, not just the files they download. It means treating a package install like running code, and an AI agent like a user account".

The open-source ecosystem's foundational promise — that anyone can trust the code they pull — may never be the same. One security firm now estimates a roughly 1-in-10 chance that any package an organization installs could trigger an active attack.

The Bottom Line

A single group — likely a loose-knit crew of teenagers — injected malicious code into more than 1,000 open-source packages in under four months. They compromised 1,000+ cloud environments, stole 500,000 credentials, breached GitHub itself, and exploited the very trust that makes open-source software work.

The industry's response has been reactive. Security firms are scrambling to detect the next wave. Developers are being urged to audit their dependencies. AI coding agents, which install packages automatically with "virtually no human in the loop," are being treated as potential attack vectors. The dead-man's switch in the Mini Shai-Hulud worm means that even rotating compromised credentials can trigger catastrophic data loss if done in the wrong order.

TeamPCP's spree shows no signs of stopping. In a message from March 25, 2026, group members discussed working through large stores of stolen credentials and stated explicit intent to continue targeting security tools and open-source projects in the months ahead. The Miasma variant of their attack toolkit has even been open-sourced, allowing copycats to replicate their methods.

The open-source ecosystem was built on trust. TeamPCP just proved that trust can be weaponized. The question is not whether another attack will happen. It is whether the industry will learn to rebuild trust on a more secure foundation — before the next worm burns through the entire supply chain.