al-ice.ai

TeamPCP — 20-Wave Supply-Chain Campaign Hits 500+ Tools, GitHub

Security by al-ice.ai Editorial

AI relevance: TeamPCP's campaign directly targeted AI ecosystem infrastructure — LiteLLM API gateway, MistralAI SDK, CheckMarx KICS scanner, and the Mini Shai-Hulud worm that infects AI developer toolchains — making it the largest AI supply-chain attack campaign documented to date.

What happened

  • WIRED reporting and Socket research reveal that TeamPCP has executed 20 distinct waves of supply-chain attacks over the past months, compromising 500+ open-source tools (over 1,000 counting all versions) — the longest-running supply-chain attack spree ever documented.
  • The group's core tactic is a self-perpetuating flywheel: compromise one tool, steal credentials from infected developer machines, use those credentials to poison the next tool in the dependency chain. Wiz threat intelligence describes it as a "self-perpetuating supply chain worm cycle."
  • The campaign reached its highest-profile target on May 21: GitHub itself was breached when a developer installed a poisoned VS Code extension. TeamPCP claims access to ~4,000 internal repositories; GitHub confirmed at least 3,800 compromised repos containing its own source code.
  • TeamPCP has automated much of its operation via a self-spreading worm called Mini Shai-Hulud, which creates GitHub repositories containing encrypted credentials and the phrase "A Mini Shai-Hulud Has Appeared" — a deliberate reference to the original Shai-Hulud worm from September 2025.
  • Last week, TeamPCP open-sourced the Shai-Hulud worm code on GitHub and ran a public "attack challenge" on BreachForums, inviting other actors to use it. Copycat clones have already appeared on npm, including a DDoS botnet variant.
  • Confirmed victims span the AI/ML ecosystem: LiteLLM (AI API gateway), MistralAI SDK, CheckMarx KICS (IaC scanner), Trivy (Aqua's vulnerability scanner, the initial credential theft vector), AntV (data visualization), Microsoft durabletask Python SDK, the Telnyx SDK, TanStack, PyTorch Lightning, and Firescale malware toolkit.

Why it matters

  • The attack has transitioned from targeted supply-chain compromise to automated, self-spreading worm propagation — a fundamentally different threat class for the AI/ML open-source ecosystem.
  • The GitHub breach means the platform that hosts the packages, CI/CD runners, and developer workflows for most open-source AI tooling is itself compromised. Trust in the entire npm/PyPI/GitHub triad is affected.
  • LiteLLM compromise alone exposed a single point of failure for organizations using it as a unified gateway to OpenAI, Anthropic, and Azure — meaning one poisoned package gave attackers access to credentials across multiple AI providers simultaneously.
  • The open-sourcing of Shai-Hulud lowers the barrier to entry: any actor can now fork the code, swap a C2 endpoint, and publish a typosquatted package. The cost of mounting a supply-chain worm attack has dropped from "nation-state capable" to "script kiddie with an npm account."

What to do

  • Audit your dependency trees for all packages in TeamPCP's known compromise list — LiteLLM, MistralAI SDK, AntV, PyTorch Lightning, Microsoft durabletask, TanStack, Telnyx SDK, Trivy, KICS, and any packages with "mini-shai-hulud" references.
  • Search GitHub repositories and CI logs for the string "A Mini Shai-Hulud Has Appeared" or "A Mini Sha1-Hulud has Appeared" (both variants exist).
  • Rotate all API keys, credentials, and tokens on machines that may have installed affected packages — particularly AI provider keys (OpenAI, Anthropic, Azure OpenAI) and cloud credentials.
  • Pin dependency versions and use lockfiles with integrity hashes; consider deploying registry monitoring tools (Socket, OX Security, Mondoo) to detect new malicious package uploads in real time.
  • Review VS Code extension allowlists — the GitHub breach originated from a poisoned extension, not a package registry compromise.

Sources