Pluto · ResearchThe supply chain attack story so far - from a single stolen Personal Access Token in February to the May 20 compromise of GitHub itself. 32 incidents, one credential cascade, one threat group.
Aggregate self-reported by TeamPCP on the Breached forum (2026-03-30), tied to the Vect ransomware-partnership announcement.
Per-incident breakdown is not publicly disclosed. The Trivy → Telnyx cascade (March 19-27) is the dominant contributor, with smaller contributions from CanisterWorm, LiteLLM, OpenVSX, and the Mini Shai-Hulud waves.
Source: helpnetsecurity.com (Zeljka Zorz, 2026-03-30)
Aggregate self-reported by TeamPCP on the Breached forum (2026-03-30), same announcement post as the credentials figure.
Independent vendor confirmations cover slices of the total: Cisco (300+ private repos via ShinyHunters), Sportradar (161 client orgs), GitHub-internal (~3,800 repos). These counts are not directly additive into the 300 GB figure.
Source: helpnetsecurity.com (Zeljka Zorz, 2026-03-30)
No single source tells the whole story. Each vendor and independent researcher captures a different slice of it, and the slices don't always agree - dates differ, package counts differ, attributions differ, and disclosures get edited so the contradictions quietly disappear into the diff. Each source also surfaces details no one else captured.
This page is our attempt to pull the field's reporting together for one specific story - the TeamPCP / UNC6780 supply chain campaign - and reconcile it into a single coherent, auditable picture. Every factual claim traces to a citation. Every conflicting date or count between sources is surfaced not buried. Every link in the chain of compromise carries an evidence note and a confidence rating (confirmed / strong / hypothesized). Click any incident node for sources you can audit yourself.
Free, public, updated as new disclosures land. Found an error? Email support@pluto.security or reach Yotam Perkal ↗ directly. Corrections welcome and credited.
Two years of cryptomining via misconfigured Docker, Kubernetes, Ray and Redis instances let TeamPCP build the credential-harvesting and lateral-movement primitives - 50-plus filesystem paths, IMDS theft, Kubernetes service-account abuse - that would reappear in 2026's supply chain payloads.
An account called hackerbot-claw scans GitHub for repositories with pull_request_target workflow misconfigurations. On February 27 a user MegaGame10418 exploits the PwnRequest against Trivy and walks out with the aqua-bot PAT. Aqua tries to rotate the token on March 1 - but the rotation is non-atomic, and access persists.
TeamPCP force-rewrites nearly all of Trivy's release tags (76 of 77 per SANS and OSM; one dissenting source counts 75 of 76) to point at a 204-line credential stealer GTIG later names SANDCLOCK. Every CI/CD job that pulls Trivy for the next ~12 hours runs the stealer. 474 public repositories executed the malicious action. The tags still pass GitHub's 'Immutable' badge check.
Stolen npm tokens feed the self-propagating CanisterWorm - 66+ packages, first npm malware to use an ICP blockchain canister as C2. Stolen GitHub PATs hit Checkmarx KICS, OpenVSX extensions, and ast-github-action. Stolen PyPI tokens hit LiteLLM (95M monthly downloads, present in 36% of Wiz-monitored cloud environments). LiteLLM's own CI/CD credentials then hit Telnyx with WAV steganography. An Iran-targeted wiper detonates rm -rf / on standalone hosts.
Three days after Telnyx, the pace of new compromises slows. TeamPCP partners with Vect ransomware, the CipherForce coalition, and the LAPSUS$ extortion crew. Stolen credentials flow to ShinyHunters who use them to clone 300+ private Cisco repositories - including AI products and code belonging to bank, BPO, and US-government customers. By month-end Mandiant has documented 1,000+ compromised SaaS environments, projected to grow to 5,000-10,000.
Mini Shai-Hulud expands from TanStack (84 versions across 42 packages) to 170 packages across 19 namespaces in two weeks - including AWS-maintained @opensearch-project/opensearch and the Mistral AI clients on both npm and PyPI. On May 12, TeamPCP open-sources their own malware on GitHub ("A Gift From TeamPCP"), lowering the barrier to entry for copycats. By May 18-19, two compromised npm maintainer accounts republish 324 AntV ecosystem packages in two ~6-second automated bursts. Microsoft's durabletask PyPI client falls the same day.
A GitHub employee's laptop is compromised through a poisoned VS Code extension. The attacker exfiltrates around 3,800 of GitHub's own internal repositories (TeamPCP claims ~4,000) and lists them for sale on the Breached cybercrime forum for at least $50,000. 'As always, this is not a ransom - 1 buyer and we shred the data on our end.' On X, the account @xploitrsturtle2 posts: 'What an amazing run, it's been an honor to play around with the cats over the past few months.' Nobody has named the extension yet.
Each row is a package ecosystem. Each arrow is a stolen credential reused. Hover any incident to surface its connected lineage and the evidence on each arrow. Click for full sources. Yellow-starred arrows are the keystones that gate the largest blast radius.
Click a phase to jump the detailed graph below to that span. For the full story in prose, read the article →
Below: extended blast-radius numbers (474 repos, 1,705 packages, the 12-hour Trivy exposure window), the new tradecraft each wave introduced, the operator signatures researchers use to tie fresh compromises back to TeamPCP, and the partner ecosystem they monetize through.
Each compromise introduced or refined a technique. The pace of innovation is part of why this campaign matters more than the package count alone.
Force-pushing release tags to point at imposter commits in GitHub's object store - bypassing 'Immutable' badge.
First documented npm malware using an Internet Computer Protocol blockchain canister as C2 - no single takedown point.
Songs literally embedded as labels on C2 endpoints - operator signature unmistakable across waves.
Wiper payload runs `rm -rf /` only on systems with Iran-localized timezone/locale - hybrid financial + geopolitical signal.
Payload hidden inside .wav audio frames; XOR-decrypted to msbuild.exe at install.
Extracted OIDC tokens from /proc/<pid>/mem of Runner.Worker via cache-poisoning of GitHub Actions; bypassed SLSA Build Level 3.
Republished a plugin with the IDENTICAL version string as a legitimate older release - bypasses naive version-pin checks.
Payload propagates to up to 5 cloud machines per infected host via AWS Systems Manager SendCommand.
Compromised a GitHub employee's laptop via a poisoned VS Code extension; exfiltrated ~3,800 internal repos.
The texture that makes TeamPCP recognizable. Researchers can often tie a fresh compromise back to the group within hours using these markers.
Each C2 endpoint carries a different song. The "Bad Apple!!" track doubles as the anti-sandbox check.
Playlist first catalogued by Rami McCarthy (ramimac.me/teampcp) - timestamps and infrastructure mappings reproduced from his curated timeline.
The same RSA-4096 public key encrypts exfiltration bundles across LiteLLM 1.82.7 and 1.82.8, Telnyx 4.87.1 and 4.87.2, and onward. A second "Key B" appears in durabletask and guardrails-ai - clearly an evolution of the same campaign.
Found in the Trivy entrypoint.sh payload. Google GTIG formally names this malware family SANDCLOCK.
Researcher sandboxes typically hit the C2 from a fresh, unknown IP. TeamPCP returns a link to the "Bad Apple!!" YouTube video to those, and skips execution. The same song appears as the C2 label on checkmarx[.]zone.
Per-wave domains designed to pass a fast log review. Defenders looking at CI logs see "aquasecurtiy.org" and skim past it as the vendor's own domain.
| Squat domain | Imitates | Wave |
|---|---|---|
| scan.aquasecurtiy[.]org | aquasecurity.org | Trivy |
| checkmarx[.]zone | checkmarx.com | Checkmarx/KICS |
| models.litellm[.]cloud | litellm.ai | LiteLLM PyPI |
| git-tanstack[.]com | (TanStack official infra) | TanStack-adjacent |
| t.m-kosche[.]com | (AntV-adjacent) | AntV |
| check.git-service[.]com | (GitHub-adjacent) | durabletask |
TeamPCP harvests credentials. Other actors operationalize the access. This is the "supply-chain attack as a service" stack emerging on cybercrime forums.
Compromises supply chains, harvests credentials, then sells or partners access. Three formal partnerships + one cross-actor credential consumer documented to date.
partnership announced 2026-03-30 on BreachForums; one confirmed deployment using TeamPCP-sourced credentials at announcement
sourcelate-March 2026 coalition announcement
sourceSANS blog: 'collaborating with the LAPSUS$ extortion group to target multi-billion-dollar companies'
sourcecross-actor credential consumer; used TeamPCP-harvested credentials to access Cisco's GitHub environment (300+ private repos); NOT a formal partnership, but a downstream monetization customer
sourceA screenshot of the post (rendered via HackRisk.io threat-intel aggregator) shows the [Co-Owner]TeamPCP account advertising "Github's source code and internal orgs for sale" on the Breached forum. The author claims ~4,000 repos of private code, asks no less than $50K, and frames the operation as a clean transactional sale:
“As always this is not a ransom, we do not care about extorting Github, 1 buyer and we shred the data on our end, it looks like our retirement is soon so if no buyer is found we will leak it free.”
The self-framing (“not extorting”, “we shred the data”, “retirement is soon”) is operator PR, not a verifiable commitment. The same group is the supplier in this monetization graph: a documented partnership with the Vect ransomware crew (announced 2026-03-30), a partnership with the LAPSUS$ extortion group (per Mandiant + OSM), and a cross-actor credential pipeline into ShinyHunters' Cisco operation (300+ private repos). They also shipped the CanisterWorm wiper variant targeting Iran-locale Kubernetes nodes. The “clean single-buyer sale” framing is the reputational layer of an actor whose actual TTPs are partnership-with-extortionists + destructive payloads when locale matches.
Primary sources for the quote: The Hacker News and Bleeping Computer reporting on the Breached listing, plus the HackRisk.io render of the forum post itself.
Every action below is free, open-source, or a platform built-in, and implementable by one engineer in less than a day. Where a control would have prevented or caught a specific TeamPCP incident, we say so. Tooling recommendations are vendor-neutral; where an authoritative standard or official platform guide exists, we link to it alongside the OSS implementation.
Replace mutable tags (uses: org/action@v1) with the full 40-char commit SHA. ratchet is a vendor-neutral OSS CLI that rewrites the YAML for you, locally - no SaaS dependency. GitHub's own security-hardening guide (docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions) explicitly recommends this practice as the canonical reference. Mutable tags are the root vulnerability TeamPCP exploited against Trivy and KICS - this is the single highest-impact change you can make. Plus per Snyk's analysis: LiteLLM was compromised because its CI/CD pipeline fetched unpinned Trivy from apt - every defender on free-form `latest` is on borrowed time.
Replace SMS/TOTP 2FA with passkeys on every maintainer account on GitHub, npm, and PyPI. Per Okta's threat-intel analysis (2026-05-18): TeamPCP's July 2025 PyPI phishing and Sept 2025 npm 2FA-reset phishing both relied on the human-defeatable steps of phishable second factors. Passkeys are bound to a domain and can't be phished. Required for every account that can publish.
Per Snyk SAP CAP analysis: the entire Mini Shai-Hulud worm fires via npm `preinstall` hooks before any code review. Setting `--ignore-scripts` (with an explicit allowlist for packages that legitimately need them) neutralizes that vector globally. pnpm v10 ships secure-by-default lifecycle policies; switching package manager is an option for teams that want this enforced for them.
Per Okta's defender post: configure your package manager to refuse versions published less than N hours ago (pnpm has a 24h default available; for npm/PyPI you implement this via policy + lockfile review). The @antv mass-republish on May 19 lived on npm for ~22 minutes of automated burst; the SAP CAP wave was up for hours. A 24h cooldown would have caught both before they reached production builds.
Run `grep -r pull_request_target .github/workflows/` in every repo. Remove the trigger if it's not strictly needed; never check out PR code in a pull_request_target workflow. This trigger is the initial-access vector for the Feb 27 Trivy PwnRequest, the May 11 TanStack attack, and (per SANS) the earlier SpotBugs and Nx breaches.
On PyPI, configure Trusted Publishers so packages are publishable only from a specific GitHub Actions workflow on a specific repo. npm has a similar provenance/OIDC model. CRITICAL caveat per Snyk SAP CAP: the @cap-js packages were published via OIDC trusted publishing where the trust config accepted the entire `cap-js/cds-dbs` repo. Scope your OIDC trust to a specific workflow on a protected branch, NOT to a whole repo. Otherwise the worm just runs your trusted workflow.
Per Okta's defender post: require N approvals on every PR merge, and digitally sign every PR + commit. The TanStack PR #7378 (Mini Shai-Hulud initial vector) was a single-approver merge - multi-approval slows the attack and creates a paper trail. gitsign (Sigstore) gives free keyless signing tied to identity.
Hosted at deps.dev (Google) and scorecard.dev. Surfaces packages whose maintainers don't have 2FA enabled, whose actions aren't pinned, whose repos don't have branch protection. The cheap defender check is: if a package you depend on scores under 6/10, ask why before the next deploy.
CVE-2026-33634 (Trivy) was added to CISA's KEV catalog with an April 8 federal remediation deadline. If you're not already subscribed to the KEV RSS feed, that's a 60-second fix and gives you the canonical 'rotate now' signal for everyone downstream.
For each major TeamPCP incident, the one control that would have prevented or caught it - paired with the free tool that implements it.
| Incident | The control | Free tool / framework |
|---|---|---|
| Trivy main strike (Mar 19) | Pin GitHub Actions to commit SHA; verify action contents via in-toto attestation | ratchet (sethvargo, OSS) + GitHub security-hardening docs; Sigstore/cosign for attestation |
| Aqua incomplete rotation (Mar 1) | Atomic token rotation: revoke old before issuing new; verify with API list of active tokens | GitHub PAT API (`GET /orgs/{org}/personal-access-tokens`) |
| CanisterWorm (Mar 20) | Egress block to ICP canister C2 (raw.icp0.io); enforce npm package signature verification | OpenSSF Allstar; npm provenance (--provenance flag) |
| Checkmarx OpenVSX extensions (Mar 23) | Pin VS Code/OpenVSX extension versions in .vscode/extensions.json; disable auto-update | VS Code workspace settings (`extensions.autoUpdate: false`) |
| KICS GitHub Action (Mar 23) | Pin to commit SHA (same control as Trivy); deny push permissions to bot accounts post-publish | ratchet (sethvargo, OSS) + GitHub security-hardening docs |
| LiteLLM PyPI (Mar 24) | PyPI Trusted Publishers; `pip --require-hashes`; remove .pth files at install time | PyPI native; pip-audit; pip --require-hashes |
| Telnyx WAV steganography (Mar 27) | Static analysis of non-code files in package payload; behavior-based detection on install scripts | Sigma rules; Falco (CNCF) |
| TanStack OIDC theft (May 11) | Restrict pull_request_target cache write scope; alert on /proc/<pid>/mem reads by non-systemd processes | Falco / Tetragon; ratchet for cache pinning |
| DurableTask + AWS SSM (May 18) | AWS SSM permission audit; restrict SendCommand to specific role principals; isolate password manager from CI environment | AWS IAM Access Analyzer (free tier) |
| GitHub VS Code ext breach (May 20) | Endpoint EDR on developer workstations; allowlisted VS Code Marketplace extensions; review and pin developer-installed tools | Microsoft Defender for Endpoint; Wazuh (free OSS EDR) |
| PyPI phishing (July 2025) | Passkeys (FIDO2/WebAuthn) on every maintainer account; cooldown on metadata-driven outreach; harden support flows against 2FA-reset phishing pretexts | PyPI native passkey support + Okta-recommended phishing-resistant authentication |
| npm maintainer 2FA-reset phishing (Sept 2025) | Passkeys make phishing-pretext 2FA-resets meaningless; passkeys cannot be transferred via support reset | GitHub/npm native passkey support |
| Shai-Hulud source code open-sourced (May 12) | Detection-rule sharing; expect copycats with leaked code; treat every Mini-Shai-Hulud-family compromise May 12+ as actor-ambiguous when investigating | m4nbat 100_days_of_kql_2026 Day 17 detection rules; Sigma HQ community rules |
Every tool below is pure OSS, a platform built-in, or an authoritative standards/documentation reference. Vendor-neutral throughout, runs locally where applicable. If it costs money to use the listed feature, it isn't here.
OSS CLI that pins, updates, and verifies GitHub Action references against a full commit SHA. Vendor-neutral, runs locally.
GitHub's own canonical reference for hardening Actions usage. Explicitly recommends pinning to a full commit SHA, and covers OIDC, least-privilege scopes, and third-party action review. Authoritative source if you want to do the rewrite manually.
Built-in pnpm setting that refuses to install package versions less than N hours old. 24h is a good default - catches mass-republish waves like @antv (May 19, 22-minute burst) before they reach production.
FIDO2/WebAuthn-bound credentials for GitHub accounts. Would have stopped TeamPCP's 2FA-reset phishing pretext (Sept 2025 npm).
PyPI native 2FA; Trusted Publishers eliminates long-lived tokens entirely for CI publishing.
Vendor-neutral implementation patterns from Okta's developer arm.
Free signing for containers, blobs, attestations. The OpenSSF reference.
Verifiable build provenance metadata format used by SLSA.
Supply-chain integrity levels you can adopt incrementally.
ISO-standard SBOM format (ISO/IEC 5962). Vendor-neutral starting point.
OWASP SBOM format + tooling ecosystem. Vendor-neutral.
OSS CLI that generates SBOMs in either format from container images and filesystems.
Fast OSS Git-history secret scanner. MIT-licensed, runs locally.
OSS secret scanner with verified-finding mode. Used by the original Shai-Hulud worm; defenders should use it too.
Built into GitHub - free on public repos; enable the partner-token-revocation feature so leaked tokens get auto-rotated by the issuer.
Google's OSS scanner that pulls advisories from OSV.dev across npm, PyPI, Go, Maven, container images, and more. Pure OSS, runs locally.
OSS Python-dependency auditor against the OSV database. Maintained by PyPA + Trail of Bits.
Built into npm. Cheap and effective baseline.
Self-hosted SBOM analytics platform. OSS, OWASP project.
Automated assessment of repo security posture. OSS, OpenSSF project.
Container/host runtime security with default rules for IMDS access, /proc/mem reads, suspicious curl.
eBPF-based observability and runtime enforcement from Isovalent (now Cisco).
eBPF runtime security from Aqua (yes, the Trivy maintainers - they kept shipping).
Authoritative 'patch now' list. CVE-2026-33634 was added with an April 8 deadline.
Aggregated open-source vulnerability database from Google.
Browsable, machine-readable security advisories.
Community repo with Defender XDR KQL, Falco rules, Cortex XDR rule, FP-filtered IOC CSV. Tested in production.
Vendor-agnostic detection rules; community-contributed TeamPCP rules land here.
Microsoft Defender KQL queries for Bun + TruffleHog + /proc/mem chains. Cited by Snyk for Mini Shai-Hulud detection.
“Compromising a scanner can expose every secret accessible within that pipeline context.” - Cloud Security Alliance, on why CI/CD tool compromises carry exceptional risk. Pin your actions.
133+ indicators across 13 domains, 23 SHA-256 hashes, 4 malware families, 10MITRE ATT&CK techniques, and 9 other categories - filterable, searchable, and exportable to CSV. Plus a separate 25-entry actor profile of names and accounts, role-tagged (actor-owned / sock-puppet / hijacked / impersonation).
This microsite consolidates 15+ vendor and independent reports into a single auditable view of the TeamPCP / UNC6780 campaign: 32 sourced incidents, a 39-edge chain-of-compromise DAG with per-edge confidence ratings, 157+ attributed indicators, and an incident-mapped defender playbook. Where the source reports disagreed on dates, counts, or attributions, we reconciled the contradictions in the open. Specific contributions are credited inline next to the claims they source elsewhere on the site; the catalog of contributors below is the full list.
This list is curated. The Sources block below carries every URL cited across the site, grouped by host (50+ entries).
Every claim in this microsite traces to one of the references below.