Wiz — TeamPCP Hits @antv npm Namespace, GitHub Actions, and VSCode

AI relevance: AI developer tooling and agent frameworks commonly depend on @antv visualization libraries and automated GitHub Actions — compromised packages give attackers a direct pipeline into AI development environments and CI/CD secrets.

Wiz Research published a report today documenting a fresh wave of the Mini Shai-Hulud supply chain campaign, hitting npm packages in the @antv namespace, the actions-cool/issues-helper GitHub Action, and the nrwl.angular-console VSCode extension (v18.95.0).

Key details

• Multi-component infection: Malicious npm packages trigger a multi-stage chain that retrieves secondary payloads from orphaned GitHub commits — a detection-evasion technique designed to keep payloads off the main branch.
• bun as execution vector: The malware uses bun to install and execute secondary payloads, a shift from pure Node.js execution that may evade some security tooling focused on npm behavior.
• Broad credential harvesting: Stolen artifacts include GitHub tokens, SSH keys, cloud credentials, and browser-stored secrets — the standard TeamPCP playbook for developer environment compromise.
• GitHub-based exfiltration: Data is exfiltrated through attacker-created public GitHub repositories generated from the victim environment, with repos created under the description "niagA oG eW ereH :duluH-iahS" (reverse-encoded "Shai-Hulud: Here We Go Again").
• Persistent Python backdoor: A Python backdoor is installed at ~/.local/share/kitty/cat.py, polling api.github.com/search/commits?q=firedalazer every 5 minutes for signed C2 messages. When valid instructions arrive, it retrieves and executes remote Python code.
• Persistence mechanisms: macOS persistence via ~/Library/LaunchAgents/com.user.kitty-monitor.plist; Linux via ~/.config/systemd/user/kitty-monitor.service.
• Attribution: Wiz attributes the activity to TeamPCP based on infrastructure overlaps, malware functionality, and operational patterns matching previous Mini Shai-Hulud waves.

Why it matters

This is the latest escalation in TeamPCP's ongoing campaign — the group has now compromised PyPI (LiteLLM), npm (@antv, TanStack, PyTorch Lightning, Node-IPC), GitHub Actions, and VSCode extensions in a coordinated multi-ecosystem assault. The use of orphaned commits for payload hosting and GitHub-based exfiltration represents sophisticated operational security. AI development teams are particularly exposed because they typically have broad access to cloud credentials, API keys, and model provider tokens on developer workstations.

What to do

• Audit developer workstations and CI/CD runners for @antv package versions installed around May 19; check for the ~/.local/share/kitty/cat.py backdoor file.
• Search GitHub org repos for unauthorized repositories with the "niagA oG eW ereH :duluH-iahS" description pattern.
• Block m-kosche.com (185.95.159.32) and monitor for firedalazer commit search queries in GitHub audit logs.
• Rotate all GitHub tokens, SSH keys, and cloud credentials from any potentially affected developer environments.
• Pin dependency versions in CI/CD pipelines and enable package allowlisting to prevent future supply chain injection.

Sources:

• Wiz — The Worm That Keeps on Digging: TeamPCP Hits @antv
• Wiz Threat Intelligence — TeamPCP actor profile