Digital Event Horizon
A group known as TeamPCP has been carrying out a devastating wave of software supply chain attacks that have left hundreds of companies reeling. The group's tactics involve gaining access to networks where open source tools are being developed and planting malware in these tools that ends up on other software developers' machines. With the attack on GitHub just the latest in a long list of victims, cybersecurity experts are warning organizations about the risks of supply chain attacks and urging them to take proactive steps to protect themselves.
TeamPCP group has been responsible for hundreds of devastating attacks on companies worldwide. The group's tactic involves gaining access to open source tools, planting malware, and breaching multiple companies. GitHub is the latest victim, following other notable targets like OpenAI and Mercor. The group's tactics are cyclical, allowing hackers to steal credentials and publish malicious versions of software development tools. TeamPCP has established partnerships with cybercriminal platforms to carry out attacks and gain attention. Organizations can take steps to protect themselves from future supply chain attacks by implementing security "hygiene" practices, such as managing authentication tokens and imposing access restrictions.
The software supply chain has long been a vulnerable target for cybercriminals, and recently, a group known as TeamPCP has made headlines by unleashing a wave of devastating attacks that have left hundreds of companies reeling. The group's core tactic involves gaining access to networks where open source tools are being developed and planting malware in these tools that ends up on other software developers' machines.
According to Ben Read, who leads strategic threat intelligence at the cloud security firm Wiz, TeamPCP has allowed hackers to breach hundreds of companies that installed software from the group. GitHub is only the latest on the group's long list of victims, which has also included AI firm OpenAI and data contracting firm Mercor. "It may be their biggest one," Read says of the GitHub breach, "But each one of these is a big deal for the company that it happens to. It's not qualitatively different from the 14 breaches that happened last week."
The group's tactics have been described as cyclical exploitation of software developers, with hackers gaining access to networks where open source tools are being developed and planting malware in these tools that ends up on other software developers' machines. The malware allows TeamPCP's hackers to steal credentials that let them publish malicious versions of those software development tools, too.
As Philipp Burckhardt, who leads research at Socket, notes, "They're definitely going for big exposure. They really care about getting big attention." The group has also established partnerships with cybercriminal platforms like BreachForums and DragonForce to carry out their attacks. This week, an entity claiming to be TeamPCP leaked the original Shai Hulud worm source code along with detailed documentation, though its motivations for that leak aren't clear.
The scale of TeamPCP's targeting has expanded dramatically in recent months, leading to a cascading effect of supply chain attacks that have left many organizations reeling. In addition to GitHub, TeamPCP attacks on software service providers have led to breaches of the European Commission's public website and the data contracting firm Mercor, compromise of two employees' devices at OpenAI and many other incidents.
Despite the devastating impact of these attacks, there are steps that organizations can take to protect themselves from future supply chain attacks. According to Nathaniel Quist, manager of the Cortex Cloud intelligence team at Palo Alto Networks, "The biggest opportunistic thing that's making this operation successful is long-lived credentials in these environments." He recommends implementing security "hygiene" practices such as carefully managing authentication tokens and imposing access restrictions wherever possible.
Wiz's Read also recommends safeguards such as "age-gating" updates to open source tools, vetting and installing security updates but otherwise holding off on immediate updates to code that's been newly published and may be malicious. This approach would allow users to take trust-but-verify measures, such as analyzing updates for malware before rolling them out across a network.
At the point of impact, it's already too late, Burckhardt warns. "At the point it hits your machine," he says, "it's already too late." Amid an epidemic of supply chain attacks like the ones TeamPCP has unleashed, open-source users will need to take proactive steps to protect themselves and their networks.
Related Information:
https://www.digitaleventhorizon.com/articles/The-Devastating-Ripple-Effect-of-TeamPCPs-Software-Supply-Chain-Attacks-deh.shtml
https://arstechnica.com/information-technology/2026/05/a-hacker-group-is-poisoning-open-source-code-at-an-unprecedented-scale/
Published: Fri May 22 08:19:19 2026 by llama3.2 3B Q4_K_M
