ctipilot.ch

TeamPCP

actor · actor:teampcp single-source

TeamPCP — threat actor targeting software supply chains

Coverage timeline
30
first 2026-05-04 → last 2026-06-27
Entries
30
19 distinct days
Sources cited
99
46 hosts
Sections touched
10
active-threats, deep-dive, research
Co-occurring entities
8
see Related entities below
2026-05-0430 appearances2026-06-27

Story timeline

  1. 2026-06-27Miasma / "Mini Shai-Hulud" npm worm runs a new wave across LeoPlatform/RStreams packages
    updatesMiasma / "Mini Shai-Hulud" npm worm runs a new wave across LeoPlatform/RStreams packages
  2. 2026-06-14Shai-Hulud / Miasma supply-chain worm lineage — open-sourced, ported to PyPI, and a 1,500-package AUR wave
    weekly-multi-dayShai-Hulud / Miasma supply-chain worm lineage — open-sourced, ported to PyPI, and a 1,500-package AUR wave
  3. 2026-06-12npm v12 will disable install scripts by default — audit CI/CD pipelines before July
    researchnpm v12 will disable install scripts by default — audit CI/CD pipelines before July
  4. 2026-06-09TeamPCP open-sources its Mini Shai-Hulud framework, spawning a new "Phantom Gyp" derivative
    active-threatsTeamPCP open-sources its Mini Shai-Hulud framework, spawning a new "Phantom Gyp" derivative
  5. 2026-06-06Miasma supply-chain worm reaches 73 Microsoft GitHub repositories, adds Azure credential collectors
    updatesMiasma supply-chain worm reaches 73 Microsoft GitHub repositories, adds Azure credential collectors
  6. 2026-06-02"Miasma" worm backdoors 32 Red Hat Cloud Services npm packages via OIDC trusted-publishing abuse
    active-threats"Miasma" worm backdoors 32 Red Hat Cloud Services npm packages via OIDC trusted-publishing abuse
  7. 2026-05-28Nx Console / TanStack / DAEMON Tools supply-chain cascade lands three CISA KEV entries
    deep-diveNx Console / TanStack / DAEMON Tools supply-chain cascade lands three CISA KEV entries
  8. 2026-05-26TeamPCP / Mini Shai-Hulud — framework open-sourced, Microsoft PyPI SDK trojanised with a wiper stage, forged Sigstore badges
    updatesTeamPCP / Mini Shai-Hulud — framework open-sourced, Microsoft PyPI SDK trojanised with a wiper stage, forged Sigstore badges
  9. 2026-05-25Mini Shai-Hulud / TrapDoor — the supply-chain worm goes cross-ecosystem, open-source and destructive
    weekly-multi-dayMini Shai-Hulud / TrapDoor — the supply-chain worm goes cross-ecosystem, open-source and destructive
  10. 2026-05-25Mini Shai-Hulud / TeamPCP — @antv npm wave and confirmed Maven Central poisoning; Cargo still un-hit
    weekly-long-runningMini Shai-Hulud / TeamPCP — @antv npm wave and confirmed Maven Central poisoning; Cargo still un-hit
  11. 2026-05-24Packagist supply-chain wave: Laravel-Lang autoloader backdoor and the cross-ecosystem postinstall strand
    deep-divePackagist supply-chain wave: Laravel-Lang autoloader backdoor and the cross-ecosystem postinstall strand
  12. 2026-05-24npm ships 2FA-gated "staged publishing" GA in response to the 2026 supply-chain worm waves
    active-threatsnpm ships 2FA-gated "staged publishing" GA in response to the 2026 supply-chain worm waves
  13. 2026-05-22TeamPCP Mini Shai-Hulud — Unit 42 and StepSecurity confirm SLSA Build Level 3 attestation invalidated as integrity gate
    updatesTeamPCP Mini Shai-Hulud — Unit 42 and StepSecurity confirm SLSA Build Level 3 attestation invalidated as integrity gate
  14. 2026-05-21Verizon 2026 DBIR: vulnerability exploitation overtakes credentials as primary breach vector for the first time in 19 years
    deep-diveVerizon 2026 DBIR: vulnerability exploitation overtakes credentials as primary breach vector for the first time in 19 years
  15. 2026-05-21TeamPCP / Mini Shai-Hulud campaign — GitHub itself breached (~3,800 internal repos via poisoned VS Code extension), Microsoft durabletask PyPI worm propagates via AWS SSM and kubectl exec, Grafana confirms missed-token-rotation root cause
    updatesTeamPCP / Mini Shai-Hulud campaign — GitHub itself breached (~3,800 internal repos via poisoned VS Code extension), Microsoft durabletask PyPI worm propagates
  16. 2026-05-19TeamPCP / Shai-Hulud — first copycat wave (Phantom Bot + SSH/cloud stealers), Checkmarx Jenkins plugin trojanised again, PCPJack rival worm hits exposed cloud services
    updatesTeamPCP / Shai-Hulud — first copycat wave (Phantom Bot + SSH/cloud stealers), Checkmarx Jenkins plugin trojanised again, PCPJack rival worm hits exposed cloud
  17. 2026-05-18TeamPCP / Mini Shai-Hulud / Megalodon — the open-sourced supply-chain worm became commodity infrastructure this week
    weekly-multi-dayTeamPCP / Mini Shai-Hulud / Megalodon — the open-sourced supply-chain worm became commodity infrastructure this week
  18. 2026-05-15TeamPCP / Mini Shai-Hulud — OpenAI named as victim; code-signing certificate rotation enforced for all macOS apps
    updatesTeamPCP / Mini Shai-Hulud — OpenAI named as victim; code-signing certificate rotation enforced for all macOS apps
  19. 2026-05-15Sophos 2026 State of Identity Security: Switzerland records highest identity-breach incidence globally; energy and federal government hardest-hit sectors
    researchSophos 2026 State of Identity Security: Switzerland records highest identity-breach incidence globally; energy and federal government hardest-hit sectors
  20. 2026-05-15Datadog Security Labs analyzes leaked TeamPCP "Shai-Hulud" offensive framework source code
    active-threatsDatadog Security Labs analyzes leaked TeamPCP "Shai-Hulud" offensive framework source code
  21. 2026-05-13Mini Shai-Hulud — TeamPCP worm hits TanStack, UiPath, Mistral AI, OpenSearch (160+ package versions)
    updatesMini Shai-Hulud — TeamPCP worm hits TanStack, UiPath, Mistral AI, OpenSearch (160+ package versions)
  22. 2026-05-13Mini Shai-Hulud's GitHub Actions Pwn-Request → OIDC Token Theft Chain
    deep-diveMini Shai-Hulud's GitHub Actions Pwn-Request → OIDC Token Theft Chain
  23. 2026-05-12TeamPCP (UNC6780 / PCPJack ecosystem) backdoors the Checkmarx Jenkins AST plugin — third Checkmarx supply-chain compromise in three months, SANDCLOCK exfiltrates every CI secret reachable from the runner
    trending-vulnerabilitiesTeamPCP (UNC6780 / PCPJack ecosystem) backdoors the Checkmarx Jenkins AST plugin — third Checkmarx supply-chain compromise in three months, SANDCLOCK
  24. 2026-05-12GTIG AI Threat Tracker (May 2026): First Confirmed AI-Generated Zero-Day Exploit ITW and the Behavioural Class of AI-Augmented Malware
    deep-diveGTIG AI Threat Tracker (May 2026): First Confirmed AI-Generated Zero-Day Exploit ITW and the Behavioural Class of AI-Augmented Malware
  25. 2026-05-11TeamPCP / Mini Shai-Hulud (ShinyHunters / WorldLeaks adjacent) — wave 4 + framework leak + IDE persistence
    weekly-long-runningTeamPCP / Mini Shai-Hulud (ShinyHunters / WorldLeaks adjacent) — wave 4 + framework leak + IDE persistence
  26. 2026-05-11TeamPCP / Mini Shai-Hulud npm supply-chain worm — wave 4 + framework source leak
    weekly-multi-dayTeamPCP / Mini Shai-Hulud npm supply-chain worm — wave 4 + framework source leak
  27. 2026-05-11Looking ahead — 2026-W20
    weekly-looking-aheadLooking ahead — 2026-W20
  28. 2026-05-11Datadog Security Labs — Shai-Hulud framework static analysis
    weekly-annual-reportsDatadog Security Labs — Shai-Hulud framework static analysis
  29. 2026-05-11AI tooling SaaS and developer toolchain
    weekly-sector-patternsAI tooling SaaS and developer toolchain
  30. 2026-05-04TeamPCP → PCPJack — cloud-worm successor evicting prior operator artefacts
    weekly-long-runningTeamPCP → PCPJack — cloud-worm successor evicting prior operator artefacts

Where this entity is cited

  • updates8
  • deep-dive5
  • weekly-multi-day4
  • active-threats4
  • weekly-long-running3
  • research2
  • weekly-sector-patterns1
  • weekly-annual-reports1
  • weekly-looking-ahead1
  • trending-vulnerabilities1

Source distribution

  • thehackernews.com14 (14%)
  • attack.mitre.org12 (12%)
  • helpnetsecurity.com6 (6%)
  • nvd.nist.gov5 (5%)
  • socket.dev5 (5%)
  • wiz.io4 (4%)
  • bleepingcomputer.com3 (3%)
  • github.blog3 (3%)
  • other47 (47%)

Related entities

All cited sources (99)

Entries about TeamPCP (30)

2026-06-27 · view entry permalink →

Miasma / "Mini Shai-Hulud" npm worm runs a new wave across LeoPlatform/RStreams packages

UPDATE — originally covered TeamPCP open-sources its Mini Shai-Hulud framework, spawning a new "Phantom Gyp" derivative (2026-06-09)

high threat discovered 2026-06-27 05:17 UTC

UPDATE (originally covered 2026-06-09): The Miasma / Mini Shai-Hulud / Hades supply-chain worm — last seen backdooring @redhat-cloud-services packages and the TeamPCP "Phantom Gyp" framework — ran a fresh wave on 2026-06-24: 23+ malicious versions across the LeoPlatform and RStreams serverless-data-pipeline npm ecosystems (leo-sdk, leo-auth, leo-aws, leo-cli) after the czirker publisher account was compromised, plus a Go-module compromise of Verana Blockchain (Socket Security, 2026-06-25).

The wave reuses the previously documented binding.gyp/node-gyp install-time execution to stage a Bun runtime that harvests .env files, npm/GitHub/cloud tokens, SSH keys and IDE/AI-agent configs, scraping GitHub Actions CI secrets (JFrog, 2026-06-26), and again carries the RevokeAndItGoesKaboom campaign marker that Socket ties to the earlier codfish/semantic-release-action compromise (documented by StepSecurity), where the malicious action searched GitHub commit messages bearing that string as an operator dead-drop channel (Socket Security, 2026-06-25). Any CH/EU team consuming these packages in CI should rotate all exposed CI/cloud credentials since 2026-06-20 and alert on node-gyp evaluating JavaScript from binding.gyp.

supply-chain infostealer cloud organized-crime global

2026-06-14 · view entry permalink →

Shai-Hulud / Miasma supply-chain worm lineage — open-sourced, ported to PyPI, and a 1,500-package AUR wave

notable synthesis discovered 2026-06-14 23:57 UTC

The supply-chain-worm family the W23 weekly consolidated under the Miasma/IronWorm banner spent this week proliferating across ecosystems and operators. On 9 June a SANS ISC handler tracked TeamPCP open-sourcing its Mini Shai-Hulud framework, immediately spawning a "Phantom Gyp" derivative (SANS ISC; daily 06-09). On 10 June the lineage opened a PyPI front dubbed "Hades" — 37 malicious wheels across 19 packages (The Hacker News; daily 06-10).

The week's largest wave hit the Arch User Repository. "Atomic Arch" began with roughly 400 orphaned AUR packages adopted and re-pointed to a Rust credential-stealer plus eBPF rootkit (The Hacker News; Sonatype; daily 06-13); a second wave around 12 June expanded the count further (tracker estimates range from the 400+ in primary reporting to ~1,500) and swapped some PKGBUILD delivery from npm dependency injection to bun install js-digest — active operator iteration against detection. The npm delivery mechanism has been linked by SANS ISC and subsequent reporting to the broader Shai-Hulud supply-chain family. Official Arch core/extra repositories were not affected; only adopted AUR packages. For defenders the through-line is constant: install-time script execution is the kill chain, and npm/bun/AUR build steps need to be treated as untrusted code execution in CI/CD.

supply-chain infostealer botnet global

2026-06-12 · view entry permalink →

npm v12 will disable install scripts by default — audit CI/CD pipelines before July

notable research discovered 2026-06-12 05:00 UTC

GitHub announced that npm v12 (expected July 2026) disables dependency lifecycle scripts (preinstall/install/postinstall, including implicit node-gyp builds) by default, requires npm approve-scripts for explicit opt-in, and blocks Git/remote-URL dependencies without --allow-git/--allow-remote (GitHub Changelog, 2026-06-09). This is a structural response to the install-script abuse that powered this spring's npm worm wave (Shai-Hulud/Miasma, IronWorm, TeamPCP — coverage 2026-06-06 through 2026-06-10) and brings npm in line with other package managers that already block install scripts by default (BleepingComputer, 2026-06-11). The warnings are live today in npm ≥ 11.16.0. Defender takeaway: this is a breaking change with a security upside — run npm install under 11.16.0 now to enumerate deprecation warnings, build the script allow-list before v12 ships, and treat any pipeline that must keep scripts enabled wholesale as a finding.

supply-chain global

2026-06-09 · view entry permalink →

TeamPCP open-sources its Mini Shai-Hulud framework, spawning a new "Phantom Gyp" derivative

high threat discovered 2026-06-09 05:00 UTC

UPDATE (originally covered 2026-06-06): A SANS ISC handler diary tracking the TeamPCP supply-chain campaign through 7 June reports the operators have open-sourced their Mini Shai-Hulud framework on GitHub, triggering a second wave of derivative campaigns (SANS ISC, 2026-06-08). Beyond the previously-covered Miasma worm — which compromised npm packages including Red Hat's @redhat-cloud-services scope (Wiz, 2026-06-01) — the diary names a newly-tracked Phantom Gyp campaign that abuses node-gyp / binding.gyp install-time script execution in compromised npm packages; both inject malicious CI/CD hooks (SANS ISC, 2026-06-08).

The diary's load-bearing detection-engineering point: valid SLSA provenance attestations do not protect against supply-chain injection when the build environment itself is subverted from the inside. The recommended shift is from attestation-verification to build-pipeline integrity — monitor GitHub Actions runner process trees for unexpected outbound network from within a build, alert on actions/upload-artifact shipping signed-but-anomalous binaries, and cross-check published package checksums against CI logs via independent transparency ledgers (e.g. Sigstore Rekor). EU/Swiss public-sector teams running npm-based automation or Red Hat tooling should audit CI/CD pipeline definitions for unexpected workflow-step insertions.

supply-chain organized-crime cloud global

2026-06-06 · view entry permalink →

Miasma supply-chain worm reaches 73 Microsoft GitHub repositories, adds Azure credential collectors

UPDATE — originally covered "Miasma" worm backdoors 32 Red Hat Cloud Services npm packages via OIDC trusted-publishing abuse (2026-06-02)

notable threat discovered 2026-06-06 05:00 UTC

UPDATE (originally covered 2026-06-02): The Miasma worm — the TeamPCP-spawned descendant of the Mini Shai-Hulud lineage first covered against the Red Hat @redhat-cloud-services npm namespace — recompromised the durabletask package and propagated into the Microsoft GitHub estate. On 2026-06-05 GitHub disabled 73 repositories across the Azure, Azure-Samples, Microsoft and MicrosoftDocs organisations in a 105-second automated terms-of-service sweep, taking the entire Azure Durable Task family (.NET, Go, Java, JS, MSSQL, Netherite, protobuf) offline (OpenSourceMalware, 2026-06-05; The Hacker News, 2026-06-06).

The material delta from the 2026-06-02 coverage: the variant adds Azure CLI auth-cache and managed-identity token collectors (earlier Shai-Hulud strains targeted AWS and GitHub), and the recompromise traces to the same durabletask credential foothold from the May TeamPCP incident — i.e. credentials taken in May were never fully revoked. Azure Durable Task is a foundational dependency for Azure Functions / serverless workflows widely consumed in EU public-sector cloud deployments, so the downstream exposure is cloud infrastructure, not just developer machines.

Defender takeaway: audit ~/.azure/ credential stores on developer workstations and CI/CD runners that installed any affected @azure/* package; rotate Azure managed-identity tokens and Kubernetes service-account tokens on those systems; monitor GitHub audit logs for unexpected public-repo creation (the worm's secret-exfil-as-public-repo behaviour is what trips GitHub's automated sweep). Note the worm-vs-defender naming overlap is real here — "Miasma" is the attacker worm, not a tool.

supply-chain cloud infostealer global

2026-06-02 · view entry permalink →

"Miasma" worm backdoors 32 Red Hat Cloud Services npm packages via OIDC trusted-publishing abuse

high threat discovered 2026-06-02 05:00 UTC

Threat actor cluster TeamPCP used a compromised Red Hat maintainer GitHub account to inject malicious CI/CD workflows into 32 packages in the @redhat-cloud-services npm namespace, poisoning 96 releases across high-traffic packages — Wiz puts the combined weekly downloads at roughly 80,000, while Aikido counts closer to 117,000 (Wiz, 2026-06-01 · Aikido Security, 2026-06-01). Rather than compromising developer machines directly, the attack abused GitHub Actions OIDC trusted publishing so the CI/CD pipeline itself republished backdoored packages carrying obfuscated preinstall hooks. The "Miasma" payload — a new variant in the Mini Shai-Hulud / Shai-Hulud lineage — sweeps for GitHub Actions secrets, npm tokens, AWS keys, SSH keys, HashiCorp Vault and Kubernetes credentials, and now adds dedicated collectors for GCP service-account and Azure managed-identity tokens, signalling a pivot from developer-host theft toward cloud-account takeover (Socket, 2026-06-01). Wiz notes the new variant's cloud-identity focus explicitly.

Why it matters to us: Red Hat tooling has a broad EU public-sector DevOps footprint (OpenShift/OpenStack estates). Inventory installed @redhat-cloud-services/* versions across build agents and developer endpoints, alert on preinstall scripts spawning obfuscated node -e chains from npm/npx parent trees, and rotate any CI/CD cloud-identity tokens reachable from affected pipelines.

supply-chain cloud identity infostealer global

2026-05-28 · view entry permalink →

Nx Console / TanStack / DAEMON Tools supply-chain cascade lands three CISA KEV entries

high vulnerability discovered 2026-05-28 05:00 UTC deep dive

Background. The CISA KEV adds on 2026-05-27 close a chain of disclosures across the preceding three weeks that share a single operational pattern: trusted developer-tooling-publishing pipelines (a maintainer's machine, a vendor build server, a popular VS Code marketplace listing) used to push malicious code to downstream consumers at scale (CISA KEV catalog; Nx postmortem, 2026-05-19; GHSA-c9j4-9m59-847w, 2026-05-18; GHSA-g7cv-rxg3-hmpx, 2026-05-11; Disc Soft Limited, 2026-05-06; Kaspersky, 2026-05-05; Help Net Security, 2026-05-21). This brief has covered the upstream story before — campaign:mini-shai-hulud (TeamPCP) and the 2026-05-24 Packagist Laravel-Lang deep dive both documented the same class of postinstall / publish-token theft chain. The Nx Console / TanStack thread is materially new because three of its CVEs were promoted to CISA KEV on the same day (2026-05-27), confirming active in-the-wild exploitation, and because GitHub's CISO Alexis Wales publicly confirmed that the resulting credential-harvest reached approximately 3,800 internal GitHub repositories along with Grafana Labs.

The TanStack → Nx Console pivot — CVE-2026-45321 and CVE-2026-48027.

The chain begins on or before 2026-05-11 with GHSA-g7cv-rxg3-hmpx (CVE-2026-45321): malicious versions across approximately 42 @tanstack/* npm packages were published with a credential-stealing payload that read locally configured credentials and exfiltrated them — including a Nx contributor's GitHub CLI OAuth token. The Nx postmortem specifically names @tanstack/zod-adapter@1.166.15 as the resolved malicious dependency on the compromised contributor's machine. Mapped to T1195.002 Compromise Software Supply Chain → T1552.001 Unsecured Credentials: Credentials In Files. Seven days later, the attacker used the stolen token to publish Nx Console v18.95.0 (CVE-2026-48027, GHSA-c9j4-9m59-847w) via the legitimate publish path. The malicious version was live on the Visual Studio Marketplace from 12:30 to 12:48 UTC on 2026-05-18 and on Open VSX from 12:33 to 13:09 UTC. Nx Console is a VS Code extension with approximately 2.2 million reported installs; during the live window it fetched an obfuscated second-stage payload that harvested secrets from 1Password vaults, Claude Code configuration files, the developer's npm authentication, additional GitHub PATs, and AWS credentials from ~/.aws/credentials.

The Nx postmortem maps the publish-step compromise cleanly: the stolen GitHub CLI OAuth token had repo and write:packages scope on the maintainer's machine, which was enough to push a new tag and trigger the existing publish workflow without further authentication. The CI workflow ran in GitHub-hosted runners with the regular publish secrets — no additional human-in-the-loop on the publish step. This is the same architectural class of compromise as the earlier TeamPCP mini-shai-hulud chain covered in briefs/2026-05-13.md and the Packagist Laravel-Lang autoloader-backdoor covered in briefs/2026-05-24.md: a stolen developer credential turned into automated downstream-publish without secondary review.

CVE-2026-8398 — DAEMON Tools Lite signed-build trojanisation.

CVE-2026-8398 covers a separate but parallel compromise of the official Disc Soft Limited build pipeline. DAEMON Tools Lite versions 12.5.0.2421 through 12.5.0.2434, distributed from 2026-04-08 through 2026-05-05, contained trojanised DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe binaries signed with a valid AVB Disc Soft code-signing certificate and beaconing to attacker infrastructure on activation (Disc Soft Limited, 2026-05-06; Kaspersky, 2026-05-05). Kaspersky identified thousands of attempted secondary-payload installs against affected hosts during the six-week distribution window. The Disc Soft vendor advisory confirms the build infrastructure itself was compromised — the malicious binaries went through the legitimate signing path, not via a publication-credential theft. Safe version: 12.6.0+. The CVE moved to CISA KEV on 2026-05-27 on the strength of in-the-wild exploitation evidence Kaspersky and other vendors contributed.

Downstream impact — what GitHub and Grafana Labs publicly confirmed.

Help Net Security reported on 2026-05-21 (Help Net Security, 2026-05-21) that GitHub CISO Alexis Wales had publicly named the malicious Nx Console v18.95.0 extension as the root-cause vector for the earlier 2026 GitHub breach in which ~3,800 internal repositories were exfiltrated. Grafana Labs separately reported a breach traced to the same vector. The downstream-victim pattern is operationally significant: a single malicious VS Code extension live for 18 minutes was enough to reach internal corporate networks via developer-endpoint credential harvesting.

Detection and hardening — what to push to operators today.

ATT&CK mapping: T1195.002 Compromise Software Supply Chain (publish-path compromise), T1552.001 Unsecured Credentials: Credentials In Files (1Password / ~/.aws/credentials / Claude Code config harvesting), T1530 Data from Cloud Storage Object (downstream CI/CD secret reuse), T1567 Exfiltration Over Web Service.

Detection: EDR parent-process lineage vscode.exe / cursor.exe / windsurf.exe spawning node.exe with outbound network egress to non-standard hosts (Extension Host Worker is the legitimate child; secondary node.exe workers fetching obfuscated payloads are not); audit VS Code extension marketplace installs across the developer estate against an approved-extensions allowlist; flag any installation of nrwl.angular-console (the Nx Console publisher ID) at a version pinned to 18.95.0. For DAEMON Tools Lite: hunt for DTHelper.exe or DTShellHlp.exe invocations with parent-process or file-modify timestamps inside the 2026-04-08 → 2026-05-05 window and a hash that does not match the post-12.6.0 reference set (use the vendor's published file-list, do not redistribute hashes here).

Hardening: enforce an organisational policy controls list for VS Code / Cursor / Windsurf extensions (the marketplaces do not enforce mandatory code-signing on extensions); pin npm dependencies with lockfile + --ignore-scripts for CI/CD builds; require human approval for any package that adds or modifies postinstall / preinstall / install scripts; rotate every CI/CD secret, npm token, GitHub PAT, and AWS access key accessible from any host that ran an affected Nx Console version between 2026-05-18 12:30 and 13:09 UTC. For developer endpoints, treat any host that installed an extension from Open VSX or VS Code Marketplace in that window as potentially compromised — credential rotation is not optional.

“Background.” — ctipilot v2 brief (migrated)

supply-chain vulnerabilities actively-exploited cisa-kev identity global europe CVE-2026-48027 CVE-2026-45321 CVE-2026-8398

2026-05-26 · view entry permalink →

TeamPCP / Mini Shai-Hulud — framework open-sourced, Microsoft PyPI SDK trojanised with a wiper stage, forged Sigstore badges

UPDATE — originally covered TeamPCP / Mini Shai-Hulud campaign — GitHub itself breached (~3,800 internal repos via poisoned VS Code extension), Microsoft durabletask PyPI worm propagates via AWS SSM and kubectl exec, Grafana confirms missed-token-rotation root cause (2026-05-21)

notable threat discovered 2026-05-26 05:00 UTC

UPDATE (originally covered 2026-05-21, consolidated weekly update): SANS ISC handler Kenneth Hartman documents three material escalations in the TeamPCP / Mini Shai-Hulud supply-chain campaign through 2026-05-24 (SANS Internet Storm Center, 2026-05-25). First, the complete TeamPCP framework was published to a public GitHub repository on/around 2026-05-22 — Datadog Security Labs' static analysis (reported by ISC) describes a modular TypeScript/Bun toolkit for credential harvesting, supply-chain poisoning and encrypted exfiltration whose README carries the strings "Love - TeamPCP" and "Change keys and C2 as needed" — and operational copycat forks appeared within hours, commoditising the kit and injecting attribution noise.

Second, an @antv npm wave pushed 639 malicious versions across 323 packages, including high-traffic libraries such as echarts-for-react (~1.1M weekly downloads) and size-sensor (~4.2M weekly downloads); 42 of the packages displayed forged Sigstore verification badges in the npm UI (The Hacker News, 2026-05-19). Read against the campaign's earlier abuse of genuine SLSA Build Level 3 attestations produced by hijacked pipelines, package provenance is now under attack from both directions at once — real attestations from compromised CI and fake badges rendered by the registry UI. Third, three versions of durabletask (1.4.1–1.4.3) on PyPI — Microsoft's official Azure Durable Functions SDK — were trojanised, and ISC reports the second-stage payload includes a Linux disk wiper (T1485), expanding the campaign's capability from credential theft to data destruction.

Defender takeaway: treat any echarts-for-react / size-sensor build pulled in the affected window as compromised; stop treating an npm Sigstore badge or a displayed SLSA attestation as an install-time safety signal — verify provenance out-of-band against a known-good pipeline. durabletask consumers should audit build-runner logs for unexpected outbound connections and destructive disk operations (Sysmon EID 11 for anomalous file-deletion patterns, EID 3 for unexpected node/python egress from CI workers). Pin exact versions and verify lockfile hashes. The open-sourcing means PBKDF2-salt and dead-drop-string lineage will now also fire on unrelated copycats — behavioural detection on the install-time execution chain is more durable than any static artefact.

supply-chain infostealer wiper ai-abuse global europe

2026-05-25 · view entry permalink →

Mini Shai-Hulud / TeamPCP — @antv npm wave and confirmed Maven Central poisoning; Cargo still un-hit

notable synthesis discovered 2026-05-25 05:00 UTC

Beyond the in-window TrapDoor and framework-open-sourcing covered in § 2, horizon research surfaced a development the dailies missed. Wiz documented a fresh wave (2026-05-19) in which TeamPCP hijacked a legitimate maintainer account to poison the @antv data-visualisation ecosystem on npm (@antv/g2, g6, x6, l7 and others, collectively millions of weekly downloads), running the standard Mini Shai-Hulud credential-harvest against GitHub/npm tokens and cloud keys across 80+ file paths. OX Security and Security Affairs documented copycat clones spreading after the source-code leak. On the W21 watch list of un-hit registries: npm remains the only ecosystem with a primary-confirmed poisoning this wave — horizon research flagged unverified secondary reporting of Maven Central exposure via the mvnpm npm-to-Maven bridge, but this run could not corroborate it against a primary source, so it is not asserted here, and Cargo / crates.io status is likewise unverified. No GovCERT.ch / NCSC.ch developer advisory was found. Keep the provenance-anomaly hunt centred on npm and treat the mvnpm bridge as a plausible next vector to watch.

supply-chain infostealer identity cloud global europe

2026-05-25 · view entry permalink →

Mini Shai-Hulud / TrapDoor — the supply-chain worm goes cross-ecosystem, open-source and destructive

high synthesis discovered 2026-05-25 05:00 UTC

The npm-born self-propagating supply-chain worm widened on two axes this week. TrapDoor — a cross-ecosystem (npm / PyPI / crates) stealer campaign — was documented validating stolen tokens before exfiltration and poisoning AI-assistant configuration files to persist across developer sessions (2026-05-26). In parallel, the Mini Shai-Hulud / TeamPCP framework was open-sourced, a trojanised Microsoft PyPI SDK was shipped with a wiper stage, and the operators forged Sigstore provenance badges to launder trust (2026-05-26 update).

Read across the days, the trajectory is the story: the propagation primitive (OIDC-token reuse) is now commoditised, the blast radius spans three major registries, and the payload added a destructive option on top of credential theft. This connects directly to the W21 watch item flagging Cargo and Maven as the un-hit wave-6 candidate registries, and to the npm staged-publishing GA (§ 8) that is the first registry-level structural answer. Pre-stage Sigstore / provenance-anomaly hunts in Rust and Java dependency pipelines and gate internal publishing behind interactive promotion.

supply-chain infostealer wiper ai-abuse cryptocrime global europe

2026-05-24 · view entry permalink →

Packagist supply-chain wave: Laravel-Lang autoloader backdoor and the cross-ecosystem postinstall strand

high threat discovered 2026-05-24 05:00 UTC deep dive

Background. The 2026 software supply chain has absorbed a sustained run of registry- and repo-level compromises — the mini-shai-hulud / TeamPCP npm/PyPI worm, the Megalodon GitHub-repo backdooring campaign (covered 2026-05-23), and the actions-cool/issues-helper GitHub Action and nx-console VS Code extension compromises (covered 2026-05-20). Those targeted npm, PyPI and CI tooling; the Packagist (PHP/Composer) ecosystem had largely escaped. Between 2026-05-22 and 2026-05-23 that changed, in two technically distinct, concurrent strands with different delivery mechanics — each flagged within hours by Socket, Aikido and StepSecurity (Socket, 2026-05-23). Socket reports the postinstall strand alone spans 700+ associated GitHub repositories under common attacker infrastructure (Socket, 2026-05-22); whether a single operator runs both strands is not established by the cited reporting.

Strand 1 — Laravel-Lang tag rewrite + autoloader backdoor. An actor with organisation-level push access to the Laravel-Lang GitHub org rewrote more than 700 historical version tags across four community PHP localisation packages — laravel-lang/lang (~7.8k stars), laravel-lang/http-statuses, laravel-lang/attributes, laravel-lang/actions. Rather than committing to the canonical repos, the attacker pointed existing version tags at commits in attacker-controlled forks, so the malicious code never appears in the main repository's commit history (StepSecurity, 2026-05-22). The injected src/helpers.php is registered under each composer.json's autoload.files key. Because every Composer application executes require __DIR__.'/vendor/autoload.php' at boot — Laravel, Symfony and PHPUnit included — the backdoor runs on every request with no post-install step required. A per-host MD5 fingerprint (directory path + architecture + inode) makes the payload fire once per machine to evade redundant-execution detection. The dropper builds its command-and-control hostname at runtime from character-code arrays (array_map('chr', …)) to defeat static string analysis, disables TLS certificate verification, spoofs a browser User-Agent, and fetches a ~5,900-line PHP credential stealer, which it writes to a hidden temp file and runs via exec("php …") on Unix or a VBScript-plus-cscript chain on Windows (Socket, 2026-05-23). The stealer is organised into fifteen collector modules targeting saved passwords from multiple Chromium-based browsers, Google Cloud application-default credentials, Docker auth tokens, SSH private keys, Git credentials (.gitconfig, .git-credentials, .netrc), shell and database history, kubeconfig, .env, wp-config.php, docker-compose.yml, VPN configurations, cryptocurrency wallets and password-manager vaults; results are AES-256-encrypted, exfiltrated, and the stealer self-deletes (Aikido, 2026-05-23).

Strand 2 — eight packages, cross-ecosystem postinstall. A concurrent campaign poisoned eight Packagist packages — devdojo/wave, devdojo/genesis, katanaui/katana, elitedevsquad/sidecar-laravel, r2luna/brain, baskarcm/tzi-chat-ui, moritz-sauer-13/silverstripe-cms-theme and crosiersource/crosierlib-base — by inserting a malicious hook into package.json (not composer.json) scripts.postinstall (Socket, 2026-05-22). The cross-ecosystem placement is deliberate: teams auditing PHP/Composer dependencies routinely skip the package.json lifecycle hooks bundled alongside JS build tooling. The hook downloads a Linux ELF from a code-hosting release URL, writes it to a hidden executable file under /tmp masquerading as an SSH daemon (e.g. /tmp/.sshd), marks it executable and launches it in the background with TLS verification suppressed and error output silenced (The Hacker News, 2026-05-23). The eight span CMS themes and developer libraries — including a SilverStripe CMS theme (moritz-sauer-13/silverstripe-cms-theme) and the crosiersource/crosierlib-base library — so the blast radius reaches any PHP project that pulled them as a direct or transitive dependency.

Kill chain → MITRE ATT&CK. Initial access and execution map to T1195.002 (Compromise Software Supply Chain) and T1059.004 (Unix Shell, via exec/postinstall); the runtime C2-hostname assembly and AES-256 output to T1140 (Deobfuscate/Decode Information); the /tmp/.sshd naming to T1036.005 (Masquerading: Match Legitimate Name or Location); the stealer's harvesting to T1552.001 (Credentials in Files) and T1083 (File and Directory Discovery); and the JS-side delivery to T1204.002 (User Execution: Malicious File).

Detection concepts (no IOCs). Audit composer.lock for any of the four laravel-lang/* packages at versions tagged in the 2026-05-22 → 2026-05-23 window, and for the eight named Strand-2 packages. Flag any autoload.files entry introduced by a version-tag change that has no counterpart in the package's upstream git history, and treat any scripts.postinstall / scripts.preinstall hook inside a PHP-only Composer package as a high-fidelity anomaly. On hosts and CI runners, hunt (Sysmon EID 1 / Linux auditd) for web-server worker processes (php-fpm, php-cgi, apache2, nginx) spawning exec("php …") or cscript.exe, for composer/npm spawning shells or initiating network connections during install, and for an executable hidden file under /tmp resembling sshd. Egress monitoring: outbound HTTPS from PHP worker processes during autoload, and installs pulling binaries from code-hosting release CDNs during composer/npm install.

Hardening. Run composer audit (Composer 2.6+), pin exact dependency versions, and verify composer.lock hash integrity in CI. Review whether organisation-level GitHub token scoping permits tag rewrites across all repositories and rotate admin tokens if compromise is suspected. On any affected host, treat all secrets reachable by the PHP worker process — cloud keys, SSH keys, .env, Git tokens — as compromised and rotate aggressively. For the JS-tooling surface, adopt npm's new staged-publishing 2FA gate and --allow-remote none / --allow-directory none install controls (. Note that Packagist removed the malicious versions, but development branches stay infected while upstream GitHub repos remain compromised — verify upstream state before reinstalling any of the named packages.

supply-chain infostealer data-breach cloud global europe

2026-05-24 · view entry permalink →

npm ships 2FA-gated "staged publishing" GA in response to the 2026 supply-chain worm waves

notable threat discovered 2026-05-24 05:00 UTC

UPDATE (supply-chain worm wave, originally covered 2026-05-23): GitHub announced on 2026-05-22 that npm staged publishing is now Generally Available — a maintainer must run npm stage publish (npm CLI 11.15.0+), which uploads the version to a consumer-invisible staging queue, then pass a separate 2FA challenge to approve the release before it becomes installable (GitHub Changelog, 2026-05-22). This directly targets the automated mass-publish pattern behind the Megalodon GitHub-repo campaign (covered 2026-05-23) and the earlier mini-shai-hulud / TeamPCP npm waves, where many malicious versions were pushed in seconds via compromised maintainer sessions — a human-in-the-loop 2FA gate would have broken that tempo.

The same release adds three install-source restriction flags — --allow-file, --allow-remote and --allow-directory (each all | none) — letting CI/CD pipelines forbid installs from remote URLs or local paths, the vectors abused in several 2026 dependency-confusion and supply-chain campaigns (The Hacker News, 2026-05-23). For CH/EU public-sector development teams, the operational action is to enable staged publishing on org-owned packages and set --allow-remote none / --allow-directory none in production CI.

supply-chain identity global

2026-05-22 · view entry permalink →

TeamPCP Mini Shai-Hulud — Unit 42 and StepSecurity confirm SLSA Build Level 3 attestation invalidated as integrity gate

UPDATE — originally covered TeamPCP / Shai-Hulud — first copycat wave (Phantom Bot + SSH/cloud stealers), Checkmarx Jenkins plugin trojanised again, PCPJack rival worm hits exposed cloud services (2026-05-19)

notable threat discovered 2026-05-22 05:00 UTC

UPDATE (originally covered 2026-05-19, updated 2026-05-21): Unit 42 (Palo Alto Networks) and StepSecurity published concurrent technical analyses on 2026-05-21 of the TeamPCP Mini Shai-Hulud npm supply-chain campaign, establishing the defining novelty of this wave: the first documented case of malicious npm packages carrying valid SLSA Build Level 3 provenance attestations (Unit 42, 2026-05-21). Attackers compromised TanStack's legitimate GitHub Actions CI/CD pipeline's trusted OIDC identity mid-workflow — without stealing developer credentials — making the SLSA attestation genuine while the package payload was malicious. This invalidates "package carries valid provenance attestation" as a sufficient supply-chain integrity gate.

The execution chain runs tanstack_runner.js under the Bun JavaScript runtime, enumerating stored credentials including gh auth token capture (T1552.001 Unsecured Credentials: Credentials In Files); stolen npm tokens and GitHub PATs are used to backdoor every package the victim account can publish (T1650 Acquire Access), making the worm self-propagating across the npm ecosystem. By end of the 2026-05-11 wave, 373 malicious package versions across 169 npm packages and PyPI mirrors were active (Unit 42, 2026-05-21).

Defender actions from this technical update: (a) SLSA attestation verification is now insufficient as a sole gate — add runtime behavioural scanning of npm install scripts alongside provenance checks; (b) Pin GitHub Actions to commit SHAs, not mutable tags, to prevent mid-workflow OIDC identity hijack; (c) If pipelines ran npm publish during 2026-05-11 to 2026-05-12, rotate npm tokens and GitHub PATs and audit owned packages for unauthorised versions; (d) In environments where Bun is not an approved runtime, flag any bun or bun.js process execution from a CI runner context (Sysmon EID 1 process-name filter).

supply-chain nation-state global

2026-05-21 · view entry permalink →

Verizon 2026 DBIR: vulnerability exploitation overtakes credentials as primary breach vector for the first time in 19 years

high threat discovered 2026-05-21 05:00 UTC deep dive

Verizon published the 2026 Data Breach Investigations Report on 2026-05-19 covering, per the full DBIR PDF, tens of thousands of security incidents and over ten thousand confirmed breaches collected over the standard DBIR window (autumn of the prior year through autumn of the report year) (Verizon official press release via GlobeNewswire, 2026-05-19; Help Net Security analysis, 2026-05-20; Verizon DBIR landing page — the specific dataset incident / breach counts cited by some secondary coverage were not separately confirmed in the press-release coverage and should be read against the full DBIR PDF at verizon.com/business/resources/T1f0/reports/2026-dbir-data-breach-investigations-report.pdf). This is the publication event that the 2026-W21 weekly summary flagged as imminent — the dedicated PD-9 treatment lands here. The report is structurally significant for European public-sector SOCs because it provides industry-spanning patching-cadence and supply-chain benchmarks that map cleanly onto NIS2 risk-management obligations.

Headline shift: exploitation overtakes credentials. For the first time in the DBIR's 19-year history, vulnerability exploitation (T1190 Exploit Public-Facing Application) is the leading initial-access vector at 31 % of breaches — Verizon's own press-release language (GlobeNewswire). Per Help Net Security's reading of the full DBIR, compromised credentials (T1078 Valid Accounts; T1110 Brute Force) dropped to 13 % (Help Net Security, 2026-05-20). This is a sustained inversion, not a single-year blip — the trend curve has been climbing for three reporting cycles and accelerated sharply in the 2024-2025 window. For SOCs, the implication is that detection-investment prioritisation that ranks credential-stuffing telemetry above EDR exploit-protection coverage and network-layer anomaly detection for exploitation activity is now out of alignment with the breach distribution.

Patching-cadence regression. Only 26 % of CVEs listed in the CISA Known Exploited Vulnerabilities (KEV) catalog were fully remediated by polled organisations in the reporting window, down from 38 % the prior year. The median time to patch deteriorated from 32 days to 43 days. Per PD-13 the KEV remediation deadline itself has no jurisdictional weight in CH/EU, but the listing flag is jurisdiction-agnostic intelligence about exploitation in the wild — and the DBIR's finding is that even organisations that are subject to BOD 22-01 are missing the deadline three quarters of the time. The benchmark for CH/EU public-sector defenders is therefore an honest one: most peers are not patching their KEV inventory on time, and median 43-day exposure is the operational reality. A SOC that is hitting 14-day patch SLAs on KEV entries is now outperforming the industry baseline by a factor of three.

Supply-chain breaches as the dominant compounding factor. Third-party / supply-chain breaches grew 60 % year-over-year and now represent 48 % of all breaches in the dataset (T1195 Supply Chain Compromise). Only 23 % of affected organisations had fully remediated MFA gaps in third-party cloud accounts — the most common upstream pivot point. The 60 % growth aligns with the campaign-level signal this brief has carried throughout May 2026 (TeamPCP / Mini Shai-Hulud. The actionable layer for defenders is third-party-CI access scoping — every reduction in the cross-tenant blast radius of a single compromised dev-tool integration directly reduces measured breach probability.

Ransomware and AI signals. Ransomware was present in 48 % of breaches, up from 44 % — the proportion-not-paying held at 69 %. The DBIR carries shadow AI usage as the third-most-common insider data-loss mechanism, with usage rates quadrupling year-over-year; the report also notes AI-bot traffic growing 21 % month-over-month against 0.3 % growth for human traffic. Verizon's press-release framing is that "AI is being leveraged by threat actors to accelerate the time to exploit known vulnerabilities, shrinking the window for defense from months to mere hours" (GlobeNewswire) — that finding maps to the patch-velocity number: the 43-day median patch time that was acceptable when working PoCs took weeks is now insufficient when AI-assisted exploitation collapses weaponisation latency to hours. The full DBIR PDF is published at verizon.com/business/resources/T1f0/reports/2026-dbir-data-breach-investigations-report.pdf.

Defender takeaways for a Swiss / European public-sector SOC:

  • Re-weight detection-investment priorities: EDR exploit-protection coverage and network-layer anomaly detection for T1190 exploitation activity now rank above credential-stuffing detection for breach-probability reduction.
  • Use the 26 % KEV remediation rate and 43-day median patch time as the public benchmark when justifying patch-cadence SLAs to programme owners; the industry's distribution is far worse than most ISMS targets assume.
  • Treat third-party cloud-tenancy MFA gap closure as a single highest-leverage control — the 23 % remediation rate is the most actionable bar to clear.
  • Map the +60 % supply-chain finding directly onto NIS2 Article 21(2)(d) supply-chain-security obligations during the next ISMS review cycle; the DBIR is now the canonical industry-baseline citation.
vulnerabilities ransomware supply-chain ai-abuse identity global

2026-05-21 · view entry permalink →

TeamPCP / Mini Shai-Hulud campaign — GitHub itself breached (~3,800 internal repos via poisoned VS Code extension), Microsoft durabletask PyPI worm propagates via AWS SSM and kubectl exec, Grafana confirms missed-token-rotation root cause

UPDATE — originally covered Mini Shai-Hulud — TeamPCP worm hits TanStack, UiPath, Mistral AI, OpenSearch (160+ package versions) (2026-05-13)

high incident discovered 2026-05-21 05:00 UTC

UPDATE (originally covered 2026-05-13 deep dive; multiple subsequent updates): three new TeamPCP / Mini Shai-Hulud developments landed in this window — GitHub itself, the official Microsoft durabletask PyPI package, and the Grafana Labs root-cause disclosure.

GitHub. GitHub confirmed on 2026-05-20 that TeamPCP (also tracked as UNC6780) accessed approximately 3,800 internal GitHub repositories after a single GitHub employee installed a poisoned Visual Studio Code extension on their device (The Hacker News, 2026-05-20; The Record, 2026-05-20; Infosecurity Magazine, 2026-05-20; Help Net Security, 2026-05-20). GitHub detected and contained the breach on 2026-05-19, isolated the affected endpoint and rotated high-impact secrets; the company states there is no evidence customer data stored outside the internal repositories was accessed. GitHub has not publicly named the malicious VS Code extension or its publisher at this writing. TeamPCP listed the stolen repositories — including GitHub Actions internals, agentic-workflow code, Copilot internal projects, CodeQL tools, Codespaces, Dependabot, and a Rails controller managing organisations and PRs — for sale at $50,000, with LAPSUS$ announcing a joint sale and a $95,000 asking price.

durabletask (PyPI). Wiz Security reported on 2026-05-20 that the TeamPCP / Mini Shai-Hulud worm compromised the official Microsoft durabletask PyPI package via versions 1.4.1, 1.4.2 and 1.4.3 (Wiz, 2026-05-20). The payload is a dropper that fetches rope.pyz from check.git-service[.]com; per Wiz the second stage is a full credential stealer targeting AWS, Azure, GCP, Kubernetes and Vault credentials, 1Password and Bitwarden vaults, filesystem credentials and shell history. Propagation per Wiz: on Kubernetes hosts the worm uses kubectl exec; on AWS EC2 instances it propagates via AWS Systems Manager SendCommand against up to 5 targets per host (T1078.004 Cloud Accounts, T1570 Lateral Tool Transfer).

Grafana Labs. Grafana Labs published the post-mortem of its own TeamPCP breach on 2026-05-19, confirming the root cause was a single GitHub Actions workflow token that slipped through the rotation process after the TanStack npm supply-chain attack (Grafana Labs, 2026-05-19; BleepingComputer, 2026-05-20). Per Grafana's own post-mortem the TanStack compromise was detected on 2026-05-11 (note: BleepingComputer cites 2026-05-01 for the malicious-package consumption event — surfaced as a contradiction in § 7); Grafana rotated the bulk of its GitHub workflow tokens, but the residual unrotated token gave TeamPCP access to clone private source-code repositories (exact count not disclosed in Grafana's post-mortem). Grafana refused the extortion demand on 2026-05-16. The exfiltration scope is confirmed limited to Grafana Labs GitHub repositories (public source code, private source code and internal repos); customer production data was not affected.

supply-chain organized-crime cloud identity data-breach global

2026-05-19 · view entry permalink →

TeamPCP / Shai-Hulud — first copycat wave (Phantom Bot + SSH/cloud stealers), Checkmarx Jenkins plugin trojanised again, PCPJack rival worm hits exposed cloud services

UPDATE — originally covered Mini Shai-Hulud — TeamPCP worm hits TanStack, UiPath, Mistral AI, OpenSearch (160+ package versions) (2026-05-13)

high threat discovered 2026-05-19 05:00 UTC

UPDATE (originally covered 2026-05-13, 2026-05-15): Three concurrent developments show the TeamPCP / Shai-Hulud campaign has entered an open-source-imitator phase following Datadog Security Labs' 2026-05-13 analysis of the leaked Shai-Hulud worm source code. First, OX Security disclosed on 2026-05-17 four malicious npm packages published by deadcode09284814chalk-tempalte, @deadcode09284814/axios-util, axois-utils, and color-style-utils — combined weekly downloads ~3,000 (OX Security, 2026-05-17; The Hacker News, 2026-05-18). chalk-tempalte is a near-unmodified clone of the leaked Shai-Hulud worm with a modified C2 server and a new attacker-controlled key embedded in the code — the two primary sources disagree on whether this is a public or private key (; axois-utils bundles "Phantom Bot," a Golang HTTP/TCP/UDP/Reset-flood DDoS tool with Windows Startup folder and Linux scheduled-task persistence that survives package removal; the other two harvest SSH keys, cloud-provider credentials (AWS/GCP/Azure), and cryptocurrency wallet data.

Second, SANS ISC synthesised a 2026-05-18 campaign update confirming that Checkmarx officially acknowledged on 2026-05-11 that its Jenkins AST Scanner plugin had been trojanised — version 2026.5.09, compromise window 2026-05-09 01:25 UTC to 2026-05-10 08:47 UTC — making this TeamPCP's third confirmed Checkmarx intrusion in three months (SANS Internet Storm Center, 2026-05-18; Checkmarx, 2026-05-12). Hundreds of Jenkins controllers installed the malicious plugin before removal; remediated builds 2.0.13-848 and 2.0.13-847 are safe. CxSAST on-premise was unaffected; the cloud-integrated checkmarx/ast-github-action, checkmarx/kics-github-action, and VS Code extensions were all trojaned.

Third, SentinelLabs disclosed on 2026-05-07 — also folded into the SANS ISC summary — "PCPJack," a rival cloud worm that scans for exposed Docker, Kubernetes, Redis, MongoDB and RayML services and chains five CVEs (CVE-2025-29927 Next.js middleware auth bypass; CVE-2025-55182 Next.js Server Actions deserialization; CVE-2026-1357 WPVivid arbitrary file upload; CVE-2025-9501 W3 Total Cache RCE; CVE-2025-48703 CentOS Web Panel command injection) for initial access, then explicitly kills TeamPCP processes and removes TeamPCP artefacts before harvesting credentials — assessed by SentinelLabs with moderate confidence as possibly a former TeamPCP affiliate. Defender takeaway for the Swiss/EU public-sector SOC: developer endpoints and CI/CD runners with installed Checkmarx plugin should be audited for plugin versions outside the known-safe SHA range during the 2026-05-09 → 2026-05-10 window; npm audit and SBOM scans should flag the deadcode09284814 author/scope; egress from CI runners to *.lhr.life hostnames is a high-fidelity hunt pivot for the npm worm wave; Docker/Kubernetes/Redis/MongoDB endpoints exposed to the internet should be inventoried and removed from public exposure (PCPJack's scan list). MITRE T1195.002 (Supply Chain Compromise), T1552.001 (Credentials in Files), T1041 (Exfiltration over C2 Channel).

“One of the packages (chalk-tempalte) is a direct clone of the Shai-Hulud worm open-sourced by TeamPCP with modified C2 infrastructure” — The Hacker News

“Checkmarx officially confirmed that a tampered plugin (version 2026.5.09) had been published to the Jenkins Marketplace ... This is the third TeamPCP compromise of Checkmarx in three months” — SANS Internet Storm Center

supply-chain ransomware organized-crime infostealer botnet global europe

2026-05-18 · view entry permalink →

TeamPCP / Mini Shai-Hulud / Megalodon — the open-sourced supply-chain worm became commodity infrastructure this week

notable synthesis discovered 2026-05-18 05:00 UTC

This is the week's defining chain. After the worm framework was open-sourced on 2026-05-12, the window saw it move from a single operator's tool to commodity capability, escalating almost daily:

  • 2026-05-18 → 19 — First copycat wave: TeamPCP imitators deploy Phantom Bot plus SSH/cloud stealers, the Checkmarx Jenkins plugin is re-trojanised, and a rival "PCPJack" worm appears, per Ox Security (daily 2026-05-19). Same window: the Nx Console VS Code extension (2.2M installs) is pushed malicious for an 11-minute window (12:36–12:47 UTC, 2026-05-18) via stolen publisher credentials, and all 53 tags of actions-cool/issues-helper are moved to an imposter commit reading /proc/PID/mem of the Runner.Worker (daily 2026-05-20).
  • 2026-05-21 — Escalation to platform scale: GitHub itself is named in a breach claim, Microsoft's official durabletask PyPI package is weaponised (propagating via AWS SSM and kubectl exec), and Grafana confirms a missed-token-rotation root cause (The Hacker News; daily 2026-05-21).
  • 2026-05-22 — Unit 42 and StepSecurity publish concurrent analyses establishing that SLSA Build Level 3 provenance attestation is invalidated as an integrity gate for these waves — the malicious build step runs inside the legitimately-attested pipeline (Unit 42; daily 2026-05-22).
  • 2026-05-23 (disclosure; event 2026-05-18) — SafeDep and OX Security disclose the Megalodon sub-campaign, which mass-poisoned 5,561 GitHub repositories in a ~6-hour window on 18 May using forged CI-bot identities and templated commit messages, harvesting cloud credentials and OIDC tokens (SafeDep; daily 2026-05-23). A further Packagist/Laravel-Lang compromise is reported the same day (daily 2026-05-24).

Two in-window synthesis documents consolidate the picture. The Cloud Security Alliance research note (2026-05-22) frames the whole event as a two-wave attack: Wave 1 (Mini Shai-Hulud, 29 Apr – 12 May) hijacked TanStack's GitHub Actions runner via a pull_request_target trigger plus Actions cache poisoning, extracted a live OIDC token from runner process memory via /proc/PID/mem, obtained a Sigstore signing certificate from Fulcio, and produced SLSA BL3 provenance attestations for 404 malicious package versions across 172 packages (CVE-2026-45321, CVSS 9.6) — the first publicly-documented hijack of trusted build pipelines to generate attestation-bearing malicious artefacts. Wave 2 (Megalodon, from 18 May) pushed 5,718 commits to 5,561 repos in under six hours, harvesting AWS IAM, GCP/Azure IMDS, SSH, Docker auth, .npmrc, .netrc, Kubernetes configs, Vault tokens and Terraform state. Separately, GitHub's official post-incident blog (2026-05-20) confirmed an employee device was compromised via the poisoned Nx Console extension (GHSA-c9j4-9m59-847w) and ~3,800 GitHub-internal repositories were exfiltrated, with no customer-data impact found as of publication and a fuller report still outstanding.

Defender takeaways: set permissions: id-token: none on workflows that do not need OIDC; disable or isolate pull_request_target for fork PRs (permissions: contents: read); treat Git commit author/committer fields as unverified free text (use contributor allow-lists / push-rule bypass-actor audit events to catch Megalodon-style forged identities); audit Sigstore Rekor for unexpected signing events from your own pipeline identity; and do not accept SLSA BL3 attestation alone as a clean-package signal.

supply-chain actively-exploited infostealer cloud identity organized-crime global

2026-05-15 · view entry permalink →

Datadog Security Labs analyzes leaked TeamPCP "Shai-Hulud" offensive framework source code

notable threat discovered 2026-05-15 05:00 UTC single-source

UPDATE (2026-05-13 — follows TeamPCP coverage 2026-05-13): Datadog Security Labs published an analysis of the TeamPCP "Shai-Hulud" offensive worm source code on 2026-05-13, after the complete framework was briefly accessible as a public GitHub repository on 2026-05-12 before the account was removed (Datadog Security Labs, 2026-05-13). The brief public exposure gave researchers direct visibility into the worm's internal architecture: it is a TypeScript/Bun toolkit that automates GitHub Actions pwn-request exploitation — specifically targeting pull_request_target workflows that perform unsanitized checkouts — to harvest OIDC tokens and GITHUB_TOKEN values, then propagate across npm packages using the stolen credentials. The automation is fully self-contained; victim-repository selection is not manually guided, consistent with the worm-class spread observed in the original TanStack campaign. The leaked code also exposes the environment-variable injection technique (${{ github.event.pull_request.head.sha }} substitution in run steps) as a key primitive. Defenders should not execute the leaked code. The architectural disclosure accelerates defensive posture: prioritise auditing pull_request_target triggers with checkout steps in the same job, review OIDC token permission scopes, and apply environment variable sanitization. MITRE ATT&CK: T1195.002 (Compromise Software Supply Chain), T1552.001 (Credentials in Files), T1059.004 (Unix Shell).

supply-chain vulnerabilities global

2026-05-15 · view entry permalink →

TeamPCP / Mini Shai-Hulud — OpenAI named as victim; code-signing certificate rotation enforced for all macOS apps

UPDATE — originally covered Mini Shai-Hulud — TeamPCP worm hits TanStack, UiPath, Mistral AI, OpenSearch (160+ package versions) (2026-05-13)

notable incident discovered 2026-05-15 05:00 UTC

UPDATE (originally covered 2026-05-13): OpenAI disclosed on approximately 2026-05-13 that two employee devices were compromised through the TanStack npm supply-chain attack (Mini Shai-Hulud / TeamPCP, first covered in this brief series on 2026-05-12 and 2026-05-13) and that the compromise affected OpenAI's macOS code-signing certificates (TechCrunch, 2026-05-14 · The Record, 2026-05-14).

The attackers exfiltrated "limited credential material" from internal source code repositories accessible to the two affected employees; OpenAI states no customer data, production systems, or core intellectual property were accessed. Critically, the certificate used to sign OpenAI's macOS desktop applications (ChatGPT for macOS and related apps) was among the compromised material, triggering an emergency certificate rotation. OpenAI is requiring all macOS app users to update to the latest version before June 12, 2026, after which older builds will lose functionality and macOS Gatekeeper notarization will block apps signed with the compromised certificate. Enterprise MDM administrators with OpenAI macOS apps in their managed fleet should push a forced update immediately. Threat attribution is unofficially assessed as TeamPCP (the same actor behind the broader TanStack worm), consistent with prior reporting on the actor's OIDC token theft and credential exfiltration goals.

supply-chain data-breach organized-crime global

2026-05-15 · view entry permalink →

Sophos 2026 State of Identity Security: Switzerland records highest identity-breach incidence globally; energy and federal government hardest-hit sectors

notable research discovered 2026-05-15 05:00 UTC single-source

Sophos published its State of Identity Security 2026 survey on 2026-05-14, drawing on responses from IT and cybersecurity leaders across 17 countries (Help Net Security, 2026-05-14). The headline finding is that more than 70% of surveyed organisations experienced at least one identity-related breach in the prior 12 months. Swiss organisations recorded the highest breach incidence among all surveyed countries. Sector analysis places energy, oil/gas, and utilities alongside federal government as the verticals with the highest breach rates — and two-thirds of ransomware victims in the survey attributed initial access to an identity compromise: stolen credentials, session hijacking, or MFA bypass. The survey corroborates NCSC-CH's sustained advisory focus on credential abuse and the trend visible across this brief series (Lumma Stealer takedown, FamousSparrow credential harvesting, TeamPCP OIDC token theft). Defenders in CH/EU public-sector environments should audit conditional access policies and MFA resilience controls — particularly for energy-sector service accounts and Entra ID/ADFS federations — against the pattern of phishing-resistant MFA requirements in NCSC-CH guidance.

identity data-breach nation-state switzerland europe

+ 10 earlier entries — see the timeline above.