Hacker Group Poisoning Open Source Code At Unprecedented Scale
A cybercriminal group known as TeamPCP is being accused of carrying out an unprecedented wave of software supply chain attacks, compromising hundreds of open source tools and breaching organisations through poisoned code.
The latest victim is GitHub, which confirmed on Tuesday night that it had been breached after one of its developers installed a malicious extension for VSCode, the popular code editor owned by Microsoft.
TeamPCP claimed on BreachForums, a cybercriminal marketplace, that it had accessed about 4,000 GitHub code repositories and was offering the material for sale. GitHub confirmed it had found at least 3,800 compromised repositories, while stating that its investigation so far indicated the affected repositories contained GitHub’s own code, rather than customer code.
The incident marks the latest escalation in what researchers describe as the longest-running spree of software supply chain attacks ever recorded.
Software supply chain attacks occur when hackers compromise legitimate software, libraries or development tools to secretly insert malicious code. That poisoned software is then downloaded and installed by unsuspecting users, allowing attackers to gain access to systems that trust the original tool.
Cybersecurity firm Socket, which specialises in software supply chain threats, says TeamPCP has carried out 20 waves of attacks in recent months, hiding malware in more than 500 distinct pieces of software. When different versions of the hijacked code are counted, the figure rises to more than 1,000.
Researchers say the group has used those compromised tools to breach hundreds of organisations. Victims reportedly include GitHub, AI company Anthropic, data contracting firm Mercor and other technology providers.
TeamPCP’s strategy relies on exploiting the trust developers place in open source tools. The group first compromises software commonly used by coders, such as a VSCode extension or the AntV data visualisation software. Once malware is planted in those tools, it can infect developers’ machines and steal credentials.
Those stolen credentials can then be used to publish new malicious versions of other software development tools, creating a self-perpetuating cycle of compromise.
Wiz strategic threat intelligence lead Ben Read described the tactic as a “flywheel of supply chain compromises”, warning that each successful breach gives the group more access, more credentials and more opportunities to attack new targets.
The group has reportedly intensified its campaign through a self-spreading worm known as Mini Shai-Hulud. The malware creates GitHub repositories containing encrypted credentials stolen from victims, with each including the phrase “A Mini Shai-Hulud Has Appeared”, a reference to the sandworms in Dune and to an earlier supply chain worm known as Shai-Hulud.
Researchers say TeamPCP appears to be financially motivated, using ransomware, data extortion and stolen data sales to profit from its attacks.
In the GitHub case, the group claimed it was not seeking a ransom from the company and would instead sell the data to a buyer. It also appeared to threaten a public leak if no buyer came forward.
Cybersecurity researchers say TeamPCP first emerged in late 2025, exploiting cloud misconfigurations and a vulnerability in the web application development tool Next.js. The group initially used those attacks for credential theft, cryptocurrency mining and botnet deployment, before shifting toward large-scale software supply chain compromise.
Its reach expanded dramatically in March, when the group began targeting more widely used software utilities. It allegedly embedded an infostealer in the open source security scanner Trivy, used stolen credentials to compromise versions of the AI programming interface tool LiteLLM on PyPI, and also targeted tools and platforms including Checkmarx infrastructure, pgserve, TanStack and Mistral AI.
The fallout has been significant. TeamPCP-linked attacks on software providers have reportedly contributed to breaches involving the European Commission’s public website, Anthropic’s Claude source code, two OpenAI employee devices and the data contracting firm Mercor.
Security experts say the attacks expose one of the most serious weaknesses in modern software development: long-lived credentials and authentication tokens that remain active long enough to be stolen and reused.
Palo Alto Networks’ Nathaniel Quist said organisations should urgently rotate personal access tokens and cloud credentials, including those connected to GitHub, GitLab, AWS, Azure, Google Cloud, Alibaba Cloud and Oracle.
The attacks also raise broader questions about the safety of open source software. Developers and businesses often rely on fast updates to keep their systems secure, but researchers warn that automatically installing the newest version of a package can now introduce fresh risk.
Experts recommend stronger safeguards, including scanning software updates for malware, delaying non-essential updates until they have been vetted, restricting access permissions and avoiding long-lived credentials wherever possible.
Wiz has also recommended “age-gating” updates, meaning organisations should prioritise urgent security fixes but avoid immediately installing newly published code unless it has been checked.
Socket researchers warn that once malicious code reaches a developer’s machine, the damage may already be done.
The TeamPCP campaign highlights a growing challenge for the technology sector: the open source ecosystem powers much of the modern internet, but that same trust can be weaponised at scale.
As supply chain attacks become faster, more automated and more damaging, security experts say organisations must rethink how they manage software dependencies, credentials and developer tools before the next wave of poisoned code spreads even further.
Photo Credit: DepositPhotos.com

Pingback: TeamPCP’s Massive Supply Chain Campaign Compromises Hundreds of Open Source Projects – VKGames Tech