TeamPCP has made a name for itself as a scourge of the open source community following later waves of the Shai-Hulud attacks, but the group’s attack history is less “sophisticated threat actor” and more “right place, right time” luck.
A financially motivated threat actor, TeamPCP formally emerged in late 2025, making a name exploiting the React2Shell vulnerability as well as targeting misconfigured Docker APIs and Next.js. As researchers from Flare recently noted, the group would historically use opportunistic compromises to conduct ransomware, steal data to turn around and sell, and mine cryptocurrency.
The group’s rise in notoriety this year came alongside its increasing focus on software supply chain compromises. Starting last summer, the Shai-Hulud worm ravaged the open source development ecosystem with its capacity to self-replicate and then poison developers downstream. If developers downloaded an open source node package manager (npm) component poisoned with Shai-Hulud, the worm would go on to infect any of the components that those developers contribute, uploading malicious updates to these otherwise legitimate components.
TeamPCP is widely believed to be one of the primary threat actors behind the Shai-Hulud attacks. Recent waves, such as the Mini Shai-Hulud campaign, have been attributed to TeamPCP, though sourcing on the original attacks last summer is unconfirmed. What remains clear is the significant damage TeamPCP’s activity has caused to the open source ecosystem in the last few months.
TeamPCP Rattles the Software Ecosystem
TeamPCP followed the initial Shai-Hulud with waves of successor attacks, including malware like GlassWorm, before ultimately releasing open source code for Shai-Hulud earlier this month. Researchers speculated that the threat actor did this as a way to scale Shai-Hulud’s potential (as TeamPCP’s command-and-control infrastructure was tied to the open source code), overwhelm defenders, and advertise an affiliate program the group had just launched.
And most recently, TeamPCP took credit for a compromise against GitHub, where an employee downloaded a poisoned VS Code extension that resulted in the theft of approximately 4,000 repositories of private code.
Ilkka Turunen, field chief technical officer at Sonatype, tells Dark Reading that this latest incident is a reminder that developers are now “permanent targets” in software supply chain attacks.
“TeamPCP has shown how a motivated attacker can move through the tools developers trust every day — open source packages, extensions, accounts, and credentials — rather than trying to break in through the front door,” Turunen says.
One of the more notable aspects about TeamPCP is that it threw such an aggressive wrench into the open source ecosystem despite being only a few months old as a group and not necessarily the biggest threat actor out there.
That said, its formal “age” may be misleading, as some researchers date TeamPCP activity to 2024, and threat actors don’t necessarily start their cybercrime careers with the forming of a new group. Rather, the individuals that make up a cybercrime outfit may carry multiple affiliations, and core members may jump from group to group as one threat brand stops being effective (such as via law enforcement compromise or reputational loss).
TeamPCP’s Cybercrime Success: Luck or Sophistication?
Kevin Tian, CEO and co-founder of Doppel, tells Dark Reading that the threat actor didn’t just get lucky. Rather, he says, TeamPCP understands how to exploit modern trust relationships inside software development environments.
“What stands out is less raw technical sophistication and more operational effectiveness,” Tian explains. “TeamPCP appears highly capable of combining social engineering, trusted-platform abuse, and AI-assisted reconnaissance to move faster than traditional security defenses were designed to handle. They’re proving attackers no longer need advanced zero-days when they can compromise trusted identities, trusted tools, and trusted workflows instead.”
The CEO calls this part of a larger trend among cybercriminals who are choosing to target user trust (such as the idea that an open source component with millions of downloads won’t be poisoned) rather than infrastructure directly. Elements of this trend can be seen elsewhere, such as in ClickFix attacks (which exploit a user’s trust in software prompts), and an increasing sophistication in social engineering attacks.
Melissa Bischoping, head of threat research and intelligence at Tanium, meanwhile says TeamPCP’s rise isn’t necessarily a question of sophistication or luck, but rather something that speaks to the realities of developer-focused supply chain attacks.
“Supply chain attacks on developer tooling have such favorable mechanics for the attacker that capable crews can score outsized impact, and that’s most of what’
s going on here,” she tells Dark Reading. “The Mini Shai-Hulud campaigns are among the first worms we’ve seen actually weaponize SLSA [Supply-Chain Levels for Software Artifacts, an OpenSSF security framework used to prevent tampering with software builds] provenance attestation, and that shows technical depth and creativity, but I don’t think they rise to the level of truly sophisticated overall. The rest of the operational pattern reads as mid-tier cybercrime with a good eye for targets and a great marketing strategy.”
In this way, TeamPCP is reminiscent of DragonForce, a newer ransomware-as-a-service (RaaS) group that gained prominence less because it was particularly sophisticated and more because it effectively marketed itself. DragonForce is a fairly prolific group best known for its white-labeling service, in which would-be cybercriminals can use their own branding on top of DragonForce infrastructure.
Charlie Eriksen, security researcher at Aikido Security, notes that TeamPCP is heavily inspired by other threat actors and heavily leans on AI in building its payloads. Similar to Bischoping’s comments, Eriksen observes that the gang’s tactics don’t exactly require sophistication.
“They don’t really need to be sophisticated though, because once you have a publishing credential for a popular extension you’ve got a direct push channel into every machine running it,” he explains. “They figured out early that open source developer tooling was a soft target, and they’ve just been hitting it consistently since.”

Comments are closed