TeamPCP Takes Cover by Releasing Source Code on GitHub, Spurs Copycats
The first half of this year has been marked by a series of attacks on supply chains in the npm and PyPi ecosystems—and the culprit is TeamPCP, which stepped up the attacks as the months rolled on. But there have been few details on the source code behind the attacks—until now, when a repository was published for a short time on GitHub.
The first TeamPCP-driven attacks were Trivy and Checkmarx KICS tag hijackings executed in March. Those were followed by LiteLLM PyPl poisoning then TanStack and UiPath npm compromises. The attacks prompted some fairly deep open source analysis of the compiled payloads and their behavior. The campaign relied on obfuscated 2.3 MB JavaScript bundles and OIDC token abuse, as well as Runner. Worker memory extraction and AES-256-GCM encrypted exfiltration to a series of domains that mimicked legit open source projects.
But the source code behind the campaign remained a mystery. Until last week, OX Security said, TeamPCP went open source and the copycats pounced. “The group behind Shai-Hulud has leaked their own malware code to GitHub, and independent threat actors have already begun modifying it and expanding its reach,” OX Security explained, noting TeamPCP escalation.
The group was “spreading not just their malware, but their own source code, using what appear to be compromised GitHub accounts,” OX Security said, pointing to two active repositories with more expected and at least initially monitorable in a GitHub link titled “A Gift From TeamPCP.”
Though the real gift seems to have been to themselves, creating cover for their own actions. Noting that “the operators of Shai-Hulud may have released their source code to obfuscate attribution and distribute offensive capabilities,” Jason Soroko, senior fellow at Sectigo, says that “by providing the code alongside deployment instructions, the developers establish plausible deniability where subsequent attacks cannot be definitively linked to their group.”
As Ben Ronallo, principal cybersecurity engineer at Black Duck, stressed, “This wasn’t a leak; this was a deliberate action by the group.”
It’s a ploy that has worked well for other groups but has spawned dangerous copycats. “Actions like this in the past have triggered a proliferation of variants as independent actors modify the base code for their own objectives,” says Soroko. “For defenders, this fragmentation multiplies the threat surface. Security teams must shift from tracking a single adversary to defending against a decentralized network of copycats, making threat intelligence and incident response much more difficult.”
And that seems to be bearing out here as well. GitHub apparently removed the TeamPCP repositories quickly but not in time to prevent the spread to other miscreants.
“TeamPCP is turning the knob up to 11 on their activities by releasing this to anyone who wants to use it,” says Ronallo. “This has resulted in BreachForums sponsoring a Supply Chain Compromise Contest. These two events together will bring about a period of innovation for Shai Hulud, likely spawning several variants of the malware.”
In the case of Shai-Hulud, says Soroko, “the exposure of tactics targeting AI developer environments will serve as a template” with the code’s availability ensuring “that specialized exploitation techniques will become standardized tools for unspecialized attackers.”
That puts pressure on defenders, especially those at organizations not wholly up to speed.
“For defenders, the aim is clear: This is an attempt to overwhelm organizations that are not prepared,” says Ronallo.
“File hashes of the open-sourced code are unlikely to be effective as well as any of the compiled packages unless it’s against a pre-installer,” he says. “The compiled packages appear to be obfuscated in a manner designed to render file hashing techniques ineffective.”
In that case, “defenders will need to rely on heuristic detections (unusual egress traffic, anomalous credential file access, etc.), which are often less accurate,” and they “should start preparing for a sustained and significant spike in supply chain compromise activity resulting from both the open sourcing and the BreachForums contest.”
At organizations, too, “the response should be to assume that Shai-Hulud-style supply-chain attacks will keep mutating,” says Jonathan Stross, senior product manager, cybersecurity R&I at Pathlock.
“Teams should isolate and rebuild affected developer and CI systems, rotate exposed credentials, restrict OIDC trusted publishing to tightly scoped workflows and protected branches, pin and review GitHub Actions, monitor package install behavior, and treat build pipelines as production-grade attack surfaces,” Stross says.
