TeamPCP has gained significant visibility in the open-source community following a series of incidents involving the Shai-Hulud worm. While the group operates at scale, a review of its history suggests its success relies less on highly sophisticated, novel capabilities and more on operational efficiency and opportunistic timing within software supply chains.
Formally emerging in late 2025, TeamPCP is a financially motivated threat actor that initially focused on known vulnerabilities and misconfigurations. As documented by Flare researchers, the group frequently targeted the React2Shell vulnerability, as well as exposed Docker APIs and Next.js environments. These opportunistic compromises were typically used to support ransomware deployment, data exfiltration, and cryptocurrency mining operations.
As the year progressed, TeamPCP shifted its focus toward software supply chain compromises. Beginning in the summer, the Shai-Hulud worm began circulating through the open-source development ecosystem. The component featured a capacity to self-replicate, allowing it to propagate to downstream developers. If an engineering team downloaded an open-source node package manager (npm) component containing Shai-Hulud, the code would infect other components maintained by those developers, uploading unauthorized updates to otherwise legitimate projects.
Methodical Targeting of the Software Ecosystem
Following the initial Shai-Hulud campaign, TeamPCP initiated successor operations, deploying unauthorized code like GlassWorm and the Mini Shai-Hulud variant. Security researchers note the group released open-source code for Shai-Hulud earlier this month, potentially as a strategy to scale operations, distribute its command-and-control infrastructure, and advertise a newly launched affiliate program.
Recently, TeamPCP claimed responsibility for an incident involving Grafana Labs. After a staff member downloaded a compromised VS Code extension, the threat actor gained unauthorized access to a GitHub environment, leading to the exposure of approximately 4,000 internal, private code repositories.
Ilkka Turunen, field chief technical officer at Sonatype, noted that this event confirms developers are now permanent targets in software supply chain incidents.
"TeamPCP has shown how a motivated attacker can move through the tools developers trust every day — open source packages, extensions, accounts, and credentials — rather than trying to break in through the front door," Turunen says.
Despite being tracked under its current branding for only a few months, TeamPCP has caused measurable disruption. However, its operational age may be longer than the group's name suggests. Some security tracking dates TeamPCP activity back to 2024. Individuals within cybercrime groups frequently hold multiple affiliations, migrating between threat brands when existing operations face law enforcement pressure or reputational changes.
Evaluating Capability: Methodology Over Complexity
Kevin Tian, CEO and co-founder of Doppel, observes that TeamPCP’s effectiveness stems from a clear understanding of modern trust relationships within software development environments.
"What stands out is less raw technical sophistication and more operational effectiveness," Tian states. "TeamPCP appears highly capable of combining social engineering, trusted-platform abuse, and AI-assisted reconnaissance to move faster than traditional security defenses were designed to handle. They're proving attackers no longer need advanced zero-days when they can compromise trusted identities, trusted tools, and trusted workflows instead."
This methodology reflects a broader trend among financially motivated groups targeting user trust rather than directly confronting hardened infrastructure. Similar mechanics appear in ClickFix campaigns, which rely on users trusting software prompts, and in the advancing techniques of social engineering.
Melissa Bischoping, head of threat research and intelligence at Tanium, indicates that TeamPCP’s trajectory illustrates the systemic risks inherent in developer-focused supply chain pipelines.
“Supply chain attacks on developer tooling have such favorable mechanics for the attacker that capable crews can score outsized impact, and that's most of what's going on here," Bischoping explains. "The Mini Shai-Hulud campaigns are among the first worms we've seen actually weaponize SLSA provenance attestation, and that shows technical depth and creativity, but I don't think they rise to the level of truly sophisticated overall. The rest of the operational pattern reads as mid-tier cybercrime with a good eye for targets and a great marketing strategy."
Operationally, TeamPCP mirrors DragonForce, a newer ransomware-as-a-service (RaaS) group known for its white-labeling model and strong marketing presence rather than entirely unique technical capabilities.
Charlie Eriksen, security researcher at Aikido Security, observes that TeamPCP leverages AI heavily to build its unauthorized components and draws significant inspiration from other threat actors.
"They don't really need to be sophisticated though, because once you have a publishing credential for a popular extension you've got a direct push channel into every machine running it," Eriksen notes. "They figured out early that open source developer tooling was a soft target, and they've just been hitting it consistently since."
Protective Measures for Developer Environments
Organizations can protect their infrastructure including groups like TeamPCP by hardening CI/CD pipelines and securing developer credentials. Recommended practices include auditing GitHub Actions workflows and identify and remove dangerous pull_request_target patterns, transitioning from long-lived Personal Access Tokens (PATs) to short-lived OIDC tokens, and maintaining strict, atomic token rotation protocols to prevent residual access windows during a suspected credential exposure.
About the Author
Alexander Culafi is a Senior News Writer for Dark Reading, focusing on the cybercrime ecosystem, open-source security, and the intersection of AI and threat actors. Based in Boston, he earned a Bachelor of Science in journalism from Emerson College in 2016. His previous work has appeared on VentureFizz, Search Security, and Nintendo World Report, and he hosts the weekly Talk Nintendo Podcast. In addition to his cybersecurity reporting, he is the author of two self-published science fiction novels. His work has earned multiple industry recognitions, including TechTarget's Writer of the Year in 2022 and more than 10 Azbee awards between 2022 and the present.