Software supply chain attacks used to be scary but rare. A theoretical nightmare for cybersecurity folks who feared the day legitimate code would turn traitor. Then it actually happened. Once or twice.
Now? It’s Tuesday. And the nightmares are here, running on a tight weekly schedule. One group specifically, TeamPCP, is making a hobby of corrupting the tools everyone else builds their work on. Hundreds of open-source packages have been tainted. The trust in the ecosystem is cracking under the weight of pure opportunism.
The GitHub Breach
Tuesday night broke news of the latest victim: GitHub itself. The platform announced a breach that started small enough to be almost embarrassing. A developer installed a VSCode extension. It was poisoned. A tiny plug-in for Microsoft’s code editor became the key that unlocked the front door.
TeamPCP slipped through.
They claim to have gotten their hands on about 4,000 repositories. GitHub confirmed at least 3,880 were compromised. Good news? They seem to only contain GitHub’s internal code. Bad news? Look at how easy that was.
On BreachForums, the hackers didn’t hide. They advertised.
“We are here today to advertise GitHub source code and internal orgs… Everything for the main platform is here… I am happy to send samples.”
It wasn’t just posturing. It’s a business model now.
The Flywheel
This isn’t an isolated incident. Socket, a firm that watches supply chains for blood in the water, says TeamPCP has run twenty separate “waves” in just a few months. More than 500 distinct software pieces have been hijacked. Thousands of versions.
Ben Read at Wiz calls it a “flywheel of supply chain compromises.” The cycle is brutal and efficient. The hackers get into one developer’s network. They poison a tool that other developers use. Those developers unknowingly pull in the malware. Now the hackers have access to more developers. Stealing more credentials. Hacking more tools.
It’s self-perpetuating.
They breach OpenAI. They hit Mercor. They breach GitHub. It’s the same playbook. Different target.
“It is not qualitatively different,” Read said of the latest hack. “But it is their biggest one.”
The group even automated it. They’re using a worm they call “Mini Shai-Hulud.” References to Frank Herbert’s Dune. The worm drops encrypted stolen credentials with the message “A Mini Shai-Hulund Has Appeared” embedded in the files.
Do they care if you notice? Not in the least.
They want attention. Their dark-web site has Matrix-style cascading code in the background, reggae music, and the slogan: “The Cats Hijacking Your Supply Chain.” It’s theatrical. It’s branding.
The Machine Grows
This started differently. Late 2025 they were just exploiting misconfigs and Next.js vulnerabilities to mine crypto. Simple stuff. Then they realized they could grab static credentials. Passwords. Access tokens.
Suddenly the machine could grow itself.
“It has been like wildfire,” Nathaniel Quist at Palo Alto Networks said.
They found one token. It got them into another server. They grabbed a bigger token. Then they grabbed another. They figured out that access tokens live long. People don’t change them. Why bother? It’s inconvenient.
That inconvenience is what TeamPCP sells.
They sell data. They deploy ransomware. In the GitHub case, they said it wasn’t ransom. They didn’t want money from GitHub directly. They wanted to sell the data to one buyer. And shred it afterwards. But they added a threat. “No buyer means we leak it free.”
Maybe they are running out of time. “Our retirement is soon.” A cryptic note.
The tactics have grown sophisticated. They partner with ransomware platforms like DragonForce. They even deployed a geographic wiper, CanisterWorm, that destroyed only Iranian targets. Is it politics? Profit? It feels like both.
The Mess We’re In
March was when it went critical. They tamed the security scanner Trivy. Used the creds to hijack LiteLLM. Tainted Checkmarx infrastructure. Hit Mistral AI. The cascade effect means that fixing one thing rarely fixes the problem. The damage spreads sideways.
The European Commission website was breached. Employees at OpenAI had compromised devices. The list keeps getting longer.
Is there a fix? Not a simple one.
You need to practice hygiene. Harsh word for password management but it’s all that stands between you and the abyss. Rotate your tokens. Even the ones you don’t use. Especially those. GitHub personal access tokens? Rotate them. AWS, Azure, Google Cloud, Oracle? Rotate them too.
If you have long-lived credentials sitting in your environment, you are leaving the front door wide open.
“Rotate them,” Quist said.
Then there is the software itself. Wiz’s Ben Read suggests “age-gating” your updates.
Wait a minute before you install the newest package. Check it. Maybe run a scan. Auto-update is dangerous when your source of updates has been poisoned. Some users of the compromised tool downloaded the bad update automatically within minutes of it going live. The virus got them before the alert did.
You don’t get to install the fresh version anymore. You have to verify it. Trust but verify has moved from a Cold War slogan to a survival requirement for developers.
At the point it hits your hard drive?
Too late.
