Our Take
TeamPCP isn't a sophisticated breach—it's a credential-harvesting flywheel that works because developers treat authentication tokens like permanent fixtures.
Why it matters
Open source underpins every software stack. When the same group can pivot from one compromised tool to the next using stolen credentials, the entire dependency chain becomes an attack surface. This is no longer theoretical; it's weekly operational reality.
Do this week
Infrastructure team: rotate all GitHub, GitLab, AWS, Azure, GCP, and Alibaba personal access tokens and cloud credentials this week, regardless of whether you use LiteLLM or any named victim tool, because long-lived credentials are what enable the cascade.
How TeamPCP turned open source into a self-spreading attack
On Tuesday, GitHub confirmed that a developer had installed a poisoned VSCode extension, giving TeamPCP access to approximately 3,800 of its repositories. The group claims 4,000 repositories and has already advertised GitHub's source code on BreachForums, a dark web marketplace for cybercriminals.
This is one incident in what cybersecurity firm Socket calls 20 "waves" of supply chain attacks in just a few months. TeamPCP has hidden malware in over 500 distinct pieces of open source software, affecting hundreds of companies that installed the tainted code. Victims include AI firm OpenAI, data contracting firm Mercor, the European Commission's public website, and dozens of software service providers (per Ben Read, who leads strategic threat intelligence at Wiz).
TeamPCP's method is mechanical. Hackers compromise a network where a widely-used open source tool is developed (VSCode extension, the data visualization library AntV, the security scanner Trivy, or the Python package LiteLLM). They plant an infostealer. The malware harvests developer credentials—personal access tokens, API keys, authentication secrets. Those stolen credentials let TeamPCP publish malicious versions of other tools. The cycle repeats. "It's a flywheel of supply chain compromises," Read says. "It's self-perpetuating."
Recently, TeamPCP automated portions of this attack using a self-spreading worm named Mini Shai-Hulud (per reporting from Socket and Palo Alto Networks). The worm creates GitHub repositories filled with encrypted stolen credentials. No human coordination required for each new wave.
TeamPCP emerged in late 2025 targeting cloud misconfigurations and Next.js vulnerabilities. By March, the group shifted to supply chain poisoning and has since expanded its revenue model: partnerships with ransomware-as-a-service platforms BreachForums and DragonForce in April, data extortion campaigns, and outright sale of stolen code on dark web forums. For GitHub, the group posted "this is not a ransom" while threatening to leak the data for free if no buyer emerges—a veiled coercion tactic.
The credential problem swallows every other security control
Open source has no moat against this attack. The malware lives inside legitimate tools. Users install updates from trusted repositories. By the time a tool is detected as compromised, it has already propagated to thousands of machines.
Wiz detected one recent malicious TeamPCP update and warned customers within minutes. Many had auto-updates enabled and had already downloaded it. "You don't want to just install the freshest version all the time," Read says. Even with institutional vigilance, the attack succeeds because credential theft is the mechanism.
Nathaniel Quist, manager of Palo Alto Networks' Cortex Cloud intelligence team, names the actual vulnerability: "The biggest opportunistic thing that's making this operation successful is long-lived credentials in these environments." Once TeamPCP steals a personal access token or API key, it doesn't need to re-exploit the same tool. One credential can pivot across an entire organization's infrastructure—GitHub, GitLab, AWS, Azure, cloud registries, internal services. The attacker's reach scales with the victim's trust model, not TeamPCP's technical sophistication.
This is why GitHub's breach, OpenAI's compromise, and each of the 14 other breaches last week are structurally identical. The tool matters less than the fact that developers have embedded permanent secrets in their environments and never rotated them.
Two urgent mitigations; one structural problem
Rotation first. Palo Alto Networks and Wiz both recommend immediate rotation of all authentication tokens and credentials across GitHub, GitLab, AWS, Azure, GCP, Alibaba, and Oracle. This includes personal access tokens, API keys, and service account credentials. The compromise list is long and growing. Rotation breaks the chain even if malware already exfiltrated old secrets.
Cool-down periods on open source updates. Don't auto-install fresh versions of open source packages immediately after release. Ben Read recommends "age-gating" updates—vet and install security patches, but wait days or weeks before rolling out new feature releases to code published recently. Philipp Burckhardt at Socket advises analyzing updates for malware before deployment: "At the point it hits your machine, it's already too late."
Neither of these mitigations solves the underlying problem: open source maintainers lack the resources and legal leverage to enforce secrets rotation across their user base, and most organizations treat developer credentials as static. TeamPCP's success will continue as long as a single compromised credential can open access to dozens of downstream projects and infrastructure accounts. Until teams rotate credentials as operational routine (not once-per-incident), the flywheel will keep spinning.