TeamPCP is on a rampage by means of open-source software program.
In lower than 4 months, the risk actor has compromised and injected malicious code into greater than 1,000 software program packages. The extraordinary spree has reworked how software program builders and maintainers distribute and handle their code, as their dependencies and repositories have turn out to be probably the most efficient and prevalent assault vectors this yr.
Whereas there was a number of technical exploits, TeamPCP’s best assault has been the uprooting of belief — repeatedly proving that the majority organizations fail to confirm the code they ingest into their programs is reputable, abusing a virtually blind religion that a lot of the software program improvement trade depends on to energy right now’s trendy economic system.
Beginning with Trivy in February, TeamPCP’s assaults have shaken that belief many instances over.
The size of TeamPCP’s assaults lies partly within the automated programs firms use to deploy code, like CI/CD pipelines. It is usually capitalizing on new safety gaps created by builders’ rising reliance on AI. But, with comparatively low effort and unoriginal ways, TeamPCP is wrecking open-source frameworks and underlying programs at ranges the know-how neighborhood has hardly ever reckoned with.
“Builders didn’t do an excellent job of analyzing the safety of their open-source dependencies earlier than however, now with AI, there’s in some circumstances just about no human within the loop or any sort of sanity verify on what these instruments are doing,” Feross Aboukhadijeh, founder and CEO at Socket, advised CyberScoop.
“You will have brokers putting in packages that haven’t been vetted,” he stated. “When an attacker will get in, the influence is even broader as a result of there’s much less checks and balances to cease it from affecting all people.”
TeamPCP hasn’t recognized a brand new drawback or proved something novel. The crux of those assaults hinge on a central theme — defensive vulnerabilities all the software program trade has identified about for years. Researchers and builders know the open supply belief mannequin is damaged and inclined to sabotage. But, the software program trade has not mounted this drawback.
“The velocity and scale of those assaults is what makes it most notable, not essentially the methodology behind it, as a result of on the core it’s actually about exploiting third-party trusts that we’ve,” stated Kimberly Goody, senior supervisor at Google Menace Intelligence Group.
Software program packages are usually subjected to intensive safety monitoring to check for vulnerabilities and poisoned updates earlier than they’re launched to stay environments.
But, the true vulnerability highlighted by TeamPCP lies additional up the chain of the command with the organizations or people that publish these packages to the broader market, in response to Nathaniel Quist, supervisor of cloud risk intelligence at Palo Alto Networks.
“It’s their accountability to safe their credentials and never present a bounce off level to set off a supply-chain occasion,” he stated. “Every little thing that interacts with or crosses by means of that zone should be extremely monitored and managed to make sure a compromise may be contained shortly and simply.”
TeamPCP’s motivation
TeamPCP, like all prolific cybercriminal, has captured vital consideration from risk hunters because it emerged in late 2025. Google attributes the exercise to 1 core operator.
The corporate stated it traced TeamPCP’s residential and cellular IP handle connections to South Africa, indicating the first operator was positioned there throughout not less than a few of its assaults.
“We don’t imagine that there’s a longtime core group, not less than not but, and that numerous this has been carried out by a person,” Goody stated. Google declined to call the core operator or affirm it is aware of the individual’s true id.
Palo Alto Networks stated the core supervisor of TeamPCP makes use of the “ResoluteXBF” deal with on a number of platforms. The cybersecurity agency can also be monitoring two further core members: “diencracked” and “Shinigami.”
If TeamPCP is primarily run by one individual, legislation enforcement has a uncommon alternative to make a long-lasting influence with a single arrest.
TeamPCP has collaborated with different cybercriminals, however most of these partnerships have been short-lived and led to a public feud or in any other case didn’t get off the bottom in any significant manner, Goody stated.
Researchers have linked TeamPCP to extortion crews, darkish internet boards and associates together with Lapsus$, ShinyHunters, Vect, DragonForce, BreachForums and “HasanBroker.” TeamPCP listed about 4,000 personal code repositories on a darkish internet discussion board with an asking value of $95,000.
The actions so far, together with unpredictable conduct, point out motivations past monetary acquire and a “clear need for notoriety,” Goody stated. “They appear to love to make chaos.”
Quist attracts the identical conclusion from his months-long investigation, noting that it encourages different cybercriminals to get in on the motion, at one level providing monetary rewards for the most important software program supply-chain assault.
TeamPCP isn’t within the recreation for extortion funds, he stated. “These actors are extra within the underground road cred they’re gaining” and “inflicting as a lot harm and mayhem as doable.”
Victims abound, however publicity restricted
TeamPCP has been remarkably noisy, opportunistically injecting malware into open-source software program for the aim of stealing credentials for Kubernetes environments, Amazon Net Companies, Microsoft Azure, Google Cloud and lots of different related companies.
The group’s claimed sufferer record is staggering: Checkmarx, Bitwarden, LiteLLM, Telnyx, Mercor AI, PyTorch Lightning, AntV, SAP, GitHub, TanStack, UiPath, MistralAI, Microsoft DurableTask, Pink Hat and Nx Console.
The complete assortment of packages compromised or poisoned by TeamPCP so far accounts for roughly 500 million weekly downloads mixed, in response to Quist.
Whereas the breadth of potential downstream compromise flowing from these downloads is substantial, many endpoints contaminated with these malware-riddled packages aren’t uncovered to the web and fewer inclined to assault, he added.
“I don’t assume there’s going to be a really extraordinarily massive variety of victims,” Quist stated. “There’s going to be lots of people who doubtlessly may very well be compromised and have doubtlessly weak packages of their atmosphere, however that doesn’t essentially imply they’re in an exploitable place.”
Whereas these incidents have grabbed headlines, TeamPCP hasn’t gathered payouts almost as massive as different cybercriminals. The broader reputational influence it has wrought, nonetheless, is huge.
TeamPCP has publicly claimed greater than 10,000 victims and about $90,000 in extortions, in response to Quist.
“They may not be making some huge cash, however they’re inflicting numerous influence,” Goody stated. “Their campaigns have been very disruptive.”
How TeamPCP’s working mannequin targets improvement
TeamPCP’s sufferer record has grown as its hijacked open-source repositories on npm, PyPI, GitHub and different outsourced developer instruments which can be included into upstream code working in manufacturing environments.
Developer laptops and different endpoints which can be assigned to put in, construct and publish software program extensively comprise keys and entry to supply code that create extremely priceless supply-chain targets for attackers, Amitai Cohen, head of the assault vector intel crew at Wiz, defined throughout a June presentation on TeamPCP at SleuthCon in Arlington, Va.
The group targets CI runners, that are automated programs that construct, take a look at, and publish code. TeamPCP injects malware into the code repositories these runners preserve. When different builders pull that code into their very own programs, they unknowingly obtain the malware alongside it.
A few of these artifacts, together with Python libraries, npm registries and GitHub Actions, are downloaded virtually instantly by hundreds or thousands and thousands of builders who’ve set their runners as much as constantly pull the newest model, in response to Cohen. “We as a safety trade have taught them that that’s the proper factor to do. You wish to use the newest model since you wish to be protected in opposition to vulnerabilities, and clearly you wish to profit from all the newest options.”
That intuition is precisely what TeamPCP exploits. By compromising one firm’s CI/CD workflow, the group positive factors entry to each downstream person who mechanically pulls that contaminated code. “That is what permits [TeamPCP] to leverage preliminary entry to some affected person zero, some firm that had a vulnerability of their CI/CD workflow, in an effort to acquire entry to their downstream customers,” Cohen stated. “That’s simply how the software program provide chain works. Every little thing has dependencies upon dependencies upon dependencies.”
A number of the packages compromised by TeamPCP have been stay for nearly 13 hours, however safety practitioners have responded by figuring out code-injection assaults a lot faster now, pulling some compromised repositories inside quarter-hour, stated Ben Learn, director of strategic intelligence at Wiz.
The risk group’s operations stay high-tempo. TeamPCP infects new software program packages virtually each day, validates compromises and captures delicate information inside 24 hours, in response to Wiz researchers.
The risk group has constantly advanced its ways, growing payloads in JavaScript and Python whereas spreading from native recordsdata to Kubernetes utility programming interfaces and bundled software program improvement kits. Most just lately, it’s been stealing credentials through customized protocols.
The group’s ambitions have expanded past its personal assaults. TeamPCP can also be answerable for a self-replicating piece of malware referred to as Mini Shai-Hulud, which contaminated tons of of software program packages throughout open-source registries in back-to-back assault sprees final month. A TeamPCP affiliate revealed the total supply code for the malware on GitHub final month and inspired different cybercriminals to make use of it for their very own campaigns.
“TeamPCP goes for quantity. They don’t seem to be being discriminating, they’re not essentially attempting to be stealthy or attempting to maximise ROI. They’re going for an all-of-the-above technique,” Learn stated in the course of the Sleuthcon presentation.
Defensive gaps create openings for assault
TeamPCP’s assault spree has additionally underscored how troublesome it’s for organizations to revoke compromised secrets and techniques. A number of victims have skilled recurring infections, typically falling prey to TeamPCP 3 times inside a month, as a result of they didn’t rotate secrets and techniques correctly, Cohen stated.
At its core, these assaults spotlight a direct trade-off organizations settle for once they replace software program shortly to repair vulnerabilities, however be taught that doing so too shortly might expose them to illegitimate registries containing malware.
TeamPCP has focused what Aboukhadijeh describes as a “public good,” open-source registries that have been by no means good however extensively trusted and barely was a degree of entry for supply-chain assaults.
Speedy open supply software program set up is likely one of the most harmful issues a corporation can do proper now, he stated, including that there’s a roughly 1 in 10 probability that any package deal put in by a corporation might set off an energetic assault.
TeamPCP has compromised safety scanners, password managers, automation instruments, information visualization software program, and CI/CD infrastructure throughout numerous environments.
And it’s lifted a trove of credentials and different delicate information from victims.
Researchers like Cohen at Wiz, who’ve been monitoring this assault spree for the reason that starting, are nearing a breaking level.
“That is additionally too onerous on us. We’re very drained. I’m certain lots of people engaged on this drawback area are very drained, and it’s simply sort of turn out to be untenable,” Cohen stated.
“You possibly can’t maintain current in a world the place you get up each morning and a few tremendous prevalent package deal is compromised and all people’s simply going to be utilizing it like nothing,” he added. “We have to begin taking this a bit extra critically.”