Software industry companies have emphasized development velocity as a competitive advantage for years, streamlining release cycles, automating deployments, and increasingly utilizing sprawling open-source ecosystems to accelerate innovation as a competitive advantage. However, a recent campaign orchestrated by TeamPCP has revealed the security debt underpinning that speed-first approach.
Within a short period of time, the threat actor compromised more than 1,000 software packages and weaponized trusted development channels, showing the reliance on assumptions rather than verification that modern software supply chains have in place. The most recent escalation occurred following the public release of the Shai-Hulud worm's source code, a malicious tool previously used in numerous supply chain intrusions, along with operational guidance aimed at encouraging broader misuse.
Through open distribution of the malware and promotion of a reward-driven "supply chain challenge," TeamPCP has demonstrated its ability to shift the threat from a single adversary to a potentially broader ecosystem threat.
There is a growing reality for software developers, enterprises, and security teams alike that this development emphasizes: the greatest vulnerability in modern software development is not necessarily a flaw in the code itself, but rather a trust placed in repository repositories, dependencies, and automated workflows.
A key component of TeamPCP's campaign is the ability to weaponize vulnerabilities already embedded within modern software development practices rather than developing new malware and previously unknown exploitation techniques. With organizations accelerating release cycles through automated continuous integration/continuous delivery pipelines and increasingly integrating artificial intelligence-driven coding assistants, trust decisions are making more frequently without meaningful human verification.
The security research community notes that this environment has created a fertile ground for supply chain abuse, in which unvetted packages, compromised dependencies, and stolen publisher credentials are able to move through development workflows at unprecedented speed. TeamPCP demonstrates exactly how a single compromise within a trusted distribution channel can have an impact on thousands of downstream users through a single breach.
In the process of conducting the attacks, the group has highlighted a long-standing industry concern: although software packages are often thoroughly tested before deployment, identities, credentials, and publishing environments that distribute those packages are usually less scrutinized.
It is believed that much of TeamPCP activity may be attributed to a small group of operators following threat intelligence investigations conducted by Palo Alto Networks and Google. These investigations have identified a central figure known online as "ResoluteXBF" with connections to South African-based infrastructure.
Even though the group was relatively new when it emerged in 2010, it has rapidly evolved from the Shai-Hulud campaign to subsequent operations that involved malware such as GlassWorm, as well as the public release of Shai-Hulud's source code, and even a high-profile GitHub breach that compromised Visual Studio Code to expose thousands of private repositories.
The security analysts cite these incidents as evidence that attackers have shifted their approach, making developers themselves primary targets and trusted software ecosystems the preferred method of intrusion. As a result, TeamPCP's significance is greater than its volume of compromises, but it also illustrates the fragility of trust relationships that continue to underpin large portions of open-source supply chains throughout the world.
Researchers gained a better understanding of TeamPCP's operations after digging deeper into the company's operations. Palo Alto Networks' threat intelligence assessments identified a central figure operating under the alias "ResoluteXBF," as well as associates known as "diencracked" and "Shinigami." However, numerous researchers remain of the opinion that the group is an essentially loosely connected operation with a relatively small core.
There has been speculation that a successful law enforcement action against a few individuals or possibly even one key operator could significantly disrupt the campaign based on this structure. Even so, the group's influence has surpassed its apparent size. TeamPCP has consistently been associated with underground communities and criminal affiliates linked to BreachForums, DragonForce, ShinyHunters, Vect, Lapsus$, and HasanBroker, thereby expanding its influence and reputation through these networks.
One notable instance occurred when the group advertised 4,000 private code repositories with a reported asking price of $95,000 on a dark web forum. Despite this, researchers contend the group is not solely concerned with financial gain.
Based on the group's behavior, such as public feuds, open recruitment, reward-based challenges for supply-chain attacks, and deliberate release of offensive tooling, it is apparent that the campaign is centered on notoriety, disruption, and influence within cybercrime circles.
It is clear from TeamPCP's own metrics that there is a significant disparity: even though the group has claimed more than 10,000 victims, and earned approximately $90,000 in extortion-related earnings, its reputation and operational damage have been disproportionately greater than its revenues.
TeamsPCP has been aggressively targeting open-source repositories and developer infrastructure in order to spread credential-stealing malware designed to harvest credentials, cloud credentials, and secrets associated with Kubernetes environments, Amazon Web Services, Microsoft Azure, Google Cloud, and other enterprise platforms. This impact is visible across the software ecosystem.
Those organizations affected directly or indirectly by compromised packages include Checkmarx, Bitwarden, LiteLLM, Telnyx, Mercor AI, PyTorch Lightning, AntV, SAP, GitHub, TanStack, UiPath, Mistral AI, Microsoft DurableTask, Red Hat, and Nx Console, among others.
Researchers have estimated that malicious packages linked to TeamPCP represent nearly 500 million weekly downloads, showing how a compromise which affects only a few repositories can spread rapidly due to interconnected dependency chains.
The success of the group has largely been attributed to its understanding of modern development workflows rather than its malware sophistication.
Through compromise of CI runners, TeamPCP effectively converted trusted software distribution channels into malware delivery channels by compromising automated systems that build, test, and publish software.
By automatically retrieving the infected updates from a repository, downstream developers were able to retrieve them using package managers, GitHub Actions, Python libraries, NPM registries, and other software components that were configured to pull the latest releases from the repository.
Using the security best practices strategy, the group aims to exploit a fundamental characteristic of software development: rapid patching and continuous updates encourage rapid trust automation, resulting in an environment where trust is routinely automated on a large scale.
Researchers note that the group's operational tempo remains unusually aggressive. New package compromises occur almost every day, with validations, credential harvestings, and follow-on activities occurring shortly after initial access.
The detection speed of defenders has increased, resulting in some malware packages being exposed within minutes, rather than several hours, as whereas TeamPCP has continued to adapt its techniques.
A variety of toolsets have been developed by it, ranging from JavaScript and Python-based payloads to Kubernetes API attacks, bundled software development kits, and custom credential theft mechanisms. Additionally, the group's objectives have grown as they have spread the use of Mini Shai-Hulud, a self-replicating malware strain that infected hundreds of open-source packages across multiple registries, and was then publicized to encourage imitations.
These developments indicate that a scale-oriented operating model has taken precedence over precision as an operating model.
As an alternative to focusing on a select number of high-value targets, TeamPCP has adopted an approach aimed at maximizing downstream exposure, exploiting interconnected software dependencies, and generating disruption across as many environments as possible in order to maximize downstream exposure a formula that has made it one of the most consequential supply-chain threats facing the open-source community in recent years.
The TeamPCP campaign emphasizes that the most disruptive cyber threats do not always arise from sophisticated exploits or new malware. The most common causes of these attacks are vulnerabilities in trust mechanisms that maintain the rapid pace of software development.
By exploiting interconnected repositories, automated build systems, and dependency chains repeatedly, the threat actor has demonstrated how quickly a localized compromise can ripple across the entire digital landscape.
Software supply chains are becoming increasingly complex, and AI-driven development is accelerating code adoption, so organizations are under increasing pressure to strengthen publisher security, validate dependencies, protect development environments, and continuously monitor build pipelines. As a consequence of TeamPCP, the resilience of the software ecosystem will be dependent not only on securing code, but on verifying every link in the delivery chain.
