Critical Threat Research : The Iranian Cyber War Intensifies!
Comprehensive Threat Exposure Management Platform
May 2026 marked the most intense stretch of TeamPCP’s ongoing supply chain campaign, with the financially motivated threat group escalating from package-level poisoning to ecosystem-wide worm propagation and ultimately a direct breach of GitHub itself. TeamPCP, also known as PCPcat, ShellForce, DeadCatx3, CipherForce, Persy_PCP, and UNC6780, was first seen in late 2025 and commenced its major attack campaign in May 2026. The TeamPCP campaign targeted GitHub (internal repositories, GitHub Actions, VS Code Marketplace), npm registry, PyPI registry, OpenVSX, and developer endpoints on macOS and Linux platforms.
First documented in late 2025 as a cloud-native exploitation crew, TeamPCP pivoted in March 2026 to a cascading supply chain campaign spanning Trivy, Checkmarx KICS, LiteLLM, and dozens of npm packages. The TeamPCP threat actor then unleashed the Mini Shai-Hulud worm in May across the npm and PyPI ecosystems, followed by an @antv wave that brought the cumulative footprint to over 1,000 malicious versions across 500+ unique packages. TeamPCP then open-sourced the worm code with a $1,000 underground bounty, spawning copycat variants within days.
On May 20, 2026, TeamPCP exfiltrated roughly 3,800 internal GitHub repositories through a poisoned VS Code extension installed by an employee. The TeamPCP malware deployed included the Mini Shai-Hulud Worm and credential-stealing VS Code extensions. With affiliate extortion channels dormant throughout the month, TeamPCP has clearly shifted to monetizing supply chain credential theft directly, signaling a sustained, platform-level threat to the developer ecosystem. The TeamPCP campaign targeted software development, AI/ML, cloud computing, CI/CD pipelines, data analytics/visualization, enterprise automation, and source code hosting platforms worldwide.
May 2026 marked the most intense stretch of TeamPCP’s ongoing supply chain campaign, with the financially motivated threat cluster escalating from package-level poisoning to ecosystem-wide worm propagation and ultimately a direct breach of GitHub itself. The TeamPCP group continued its run of compromises against widely deployed security and developer tooling early in the month before shifting into a sustained, multi-wave assault on the open-source ecosystem that culminated in the compromise of GitHub’s own internal environment.
First documented in late 2025 as a cloud-native exploitation crew targeting exposed Docker APIs and Kubernetes clusters, TeamPCP escalated sharply in March 2026 with a cascading supply chain campaign that ran from Aqua Security’s Trivy through Checkmarx KICS, LiteLLM, Telnyx, and dozens of npm packages. This chain of TeamPCP compromises was monetized in part through a partnership with the Vect ransomware group, whose data leak site published victims and data attributed to TeamPCP-stolen credentials. By May, the TeamPCP group’s reach had grown large enough that a rival worm, PCPJack, emerged in the wild specifically to evict TeamPCP infections and steal credentials from already-compromised hosts.
The mid-month centerpiece of the TeamPCP campaign was the Mini Shai-Hulud worm, which propagated across the npm and PyPI ecosystems by abusing GitHub Actions misconfigurations and produced malicious packages signed with valid SLSA Build Level 3 provenance. A second TeamPCP wave on May 19 extended the campaign through a hijacked maintainer account in the @antv ecosystem, bringing the cumulative footprint to over 1,000 malicious versions across 500+ unique packages.
TeamPCP then dramatically lowered the barrier for copycats by releasing the source code of its Shai-Hulud worm, encouraging other threat actors to use it in supply chain attacks in exchange for monetary rewards. The TeamPCP release included a modular framework comprising loaders, secrets harvesters, a dispatcher, exfiltrators, and mutators, along with a $1,000 underground bounty for the largest supply chain attack mounted with the code. Copycat variants of the TeamPCP worm emerged within days, including one that converts victims into a DDoS botnet, leaving defenders facing a growing population of strains with different C2 endpoints and payloads that share enough DNA to be dangerous but not enough to share detection signatures.
The TeamPCP campaign’s most consequential event came on May 20, when GitHub disclosed a direct breach of its own environment. TeamPCP exfiltrated roughly 3,800 internal repositories through a poisoned VS Code extension installed by an employee, gaining credentials with permissions sufficient to clone the company’s internal repositories. The TeamPCP attack followed a now-familiar pattern: once installed, a malicious VS Code extension has full access to source code, system keychain credentials, SSH keys, cloud keys, GitHub authentication tokens, and shell history, enough for a single extension to silently harvest and exfiltrate every secret on a developer’s machine. An X account linked to TeamPCP publicly taunted GitHub over the delayed disclosure, claiming the platform knew for hours before notifying affected parties.
Throughout May, TeamPCP’s affiliated extortion channels remained dormant, with no new postings observed across the month, reinforcing the assessment that the TeamPCP group is now monetizing primarily through supply chain credential theft rather than affiliate ransomware. The shift in operating model, combined with the public release of the worm’s source code and a direct compromise of GitHub, signals that TeamPCP has moved from opportunistic package poisoning to a sustained, platform-level threat against the developer ecosystem, with downstream effects likely to compound well into the second half of 2026.
Organizations must audit and restrict VS Code extensions across developer endpoints to defend against TeamPCP tactics. Inventory every VS Code, OpenVSX, and JetBrains extension installed across developer machines and CI environments, and enforce a vetted allowlist of trusted publishers. The strongest publicly identified candidate for the GitHub breach vector is a trojanized version of Nx Console (nrwl.angular-console) version 18.95.0, published to the VS Code Marketplace on May 18, 2026 and live for roughly 11 minutes before being pulled. Any developer who installed or updated Nx Console during that window should be treated as compromised by TeamPCP. Block sideloaded or unsigned extensions at the endpoint and require security review before any new extension is approved.
Isolate and image endpoints before rotating credentials when responding to TeamPCP compromise. Treat any suspected compromised developer machine as a forensic asset before initiating cleanup. GitHub detected and contained the device compromise, removed the malicious extension version, and isolated the endpoint before beginning incident response for the TeamPCP breach. Production AWS keys, kubeconfigs, Vault tokens, GitHub PATs with repo and workflow scope, npm publishing tokens, signing certificates, and SSH keys for production hosts are routinely present on developer endpoints, so isolate first, image second, and only then rotate to contain TeamPCP exposure.
Rotate all GitHub-adjacent secrets with broad scope to mitigate TeamPCP credential theft. Assume that GitHub Personal Access Tokens, deploy keys, OAuth app credentials, GitHub Actions secrets, and CI/CD tokens accessible from any compromised endpoint have been exfiltrated by TeamPCP. Prioritize rotation of tokens with repo, workflow, and organization-level scopes first, then move to fine-grained tokens. Audit recent token usage logs for unfamiliar IP addresses, unusual API calls, and bulk repository clone activity in the days surrounding the suspected TeamPCP compromise.
Tighten trust boundaries on OIDC and trusted publishing to defend against TeamPCP supply chain attacks. OIDC removes the long-lived publishing token, but only on the assumption that the workflow producing the short-lived token is itself trustworthy. TeamPCP has repeatedly broken that assumption by compromising the workflow itself. Restrict OIDC trust policies to specific protected branches, workflows, and environments, and require manual approval gates for publishes to package registries. Pin all third-party GitHub Actions to full commit SHAs and audit recently used actions for unexpected changes introduced by TeamPCP.
Treat developer devices as production infrastructure to protect against TeamPCP attacks. Developer endpoints have effectively become the new perimeter in the TeamPCP threat model. A single compromised IDE extension can expose source code, signing keys, cloud credentials, and the keys to an entire engineering organization’s CI/CD pipeline to TeamPCP. Enforce EDR coverage, MDM enrollment, and least-privilege access on every developer machine that holds production credentials to minimize TeamPCP’s attack surface.
The TeamPCP campaign employs numerous MITRE ATT&CK tactics and techniques. For Initial Access, TeamPCP uses Supply Chain Compromise (T1195), including Compromise Software Supply Chain (T1195.002) and Compromise Software Dependencies and Development Tools (T1195.001), along with Valid Accounts (T1078). Under Execution, TeamPCP leverages User Execution (T1204) via Malicious File (T1204.002), Command and Scripting Interpreter (T1059) using JavaScript (T1059.007), and Native API (T1106).
For Persistence, TeamPCP employs Browser Extensions (T1176), Create or Modify System Process (T1543) through Launch Agent (T1543.001) and Systemd Service (T1543.002), and Event Triggered Execution (T1546). Defense Evasion tactics include Obfuscated Files or Information (T1027), Masquerading (T1036) via Match Legitimate Name or Location (T1036.005), Indicator Removal (T1070) through Timestomp (T1070.006), and Impersonation (T1656).
TeamPCP’s Credential Access techniques include Unsecured Credentials (T1552) via Credentials In Files (T1552.001) and Private Keys (T1552.004), Credentials from Password Stores (T1555) including Password Managers (T1555.005), Steal Application Access Token (T1528), and Steal Web Session Cookie (T1539). For Discovery, TeamPCP uses Cloud Service Discovery (T1526) and File and Directory Discovery (T1083).
Collection tactics employed by TeamPCP include Data from Local System (T1005) and Data from Information Repositories (T1213), specifically Code Repositories (T1213.003). Lateral Movement utilizes Software Deployment Tools (T1072). Command and Control involves Application Layer Protocol (T1071) via Web Protocols (T1071.001), Web Service (T1102) for Bidirectional Communication (T1102.002), and Data Encoding (T1132).
For Exfiltration, TeamPCP uses Exfiltration Over Web Service (T1567), including Exfiltration to Code Repository (T1567.001), and Exfiltration Over C2 Channel (T1041). Finally, Impact tactics include Financial Theft (T1657) and Data Destruction (T1485) deployed by TeamPCP.
TeamPCP indicators include domains check.git-service[.]com and t.m-kosche[.]com. Malicious URLs associated with TeamPCP are hxxps[:]//check[.]git-service[.]com/rope.pyz, hxxps[:]//t[.]m-kosche[.]com[:]443/api/public/otel/v1/traces, and hxxps[:]//api[.]github[.]com/search/commits?q=firedalazer.
Multiple SHA256 and SHA1 hashes are associated with TeamPCP malware. File paths compromised by TeamPCP include tilde/.local/share/kitty/cat.py, tilde/Library/LaunchAgents/com.user.kitty-monitor.plist, /tmp/kitty-, /var/tmp/.gh_update_state, /tmp/managed.pyz, /tmp/rope-.pyz, tilde/.cache/.sys-update-check, tilde/.cache/.sys-update-check-k8s, .claude/settings.json, .claude/setup.mjs, .vscode/tasks.json, .vscode/setup.mjs, and .github/workflows/codeql.yml.
TeamPCP LaunchAgents include pgsql-monitor.service and com.user.kitty-monitor.plist. The malicious VS Code extension deployed by TeamPCP is nrwl.angular-console@18.95.0. TeamPCP malicious PyPI packages include durabletask versions 1.4.1, 1.4.2, and 1.4.3.
https://www.stepsecurity.io/blog/nx-console-vs-code-extension-compromised
https://github.com/nrwl/nx-console/security/advisories/GHSA-c9j4-9m59-847w
https://github.blog/security/investigating-unauthorized-access-to-githubs-internal-repositories/
Get through updates and upcoming events, and more directly in your inbox