Longest-Running Supply Chain Poisoning Campaign Hits GitHub, 3,800 Repos Stolen
TeamPCP's self-replicating worm compromised seven waves of open-source infrastructure in nine weeks, evading every CVE scanner and provenance system in production.
GitHub confirmed on 20 May that a poisoned VS Code extension on an employee device led to the exfiltration of approximately 3,800 internal repositories, the latest escalation in what security researchers now describe as the longest-running supply chain attack campaign on record.
The breach, attributed to cybercrime group TeamPCP (aka UNC6780), involved Nx Console version 18.95.0, published to the VS Code marketplace on 18 May. The extension contained a Python backdoor that harvested GitHub personal access tokens, npm credentials, and cloud service keys from developer workstations, according to Sophos. GitHub stated that “the activity involved exfiltration of GitHub-internal repositories only” and that the attacker’s claims of 3,800 repositories were “directionally consistent” with their investigation.
TeamPCP has since listed GitHub’s source code for sale at $50,000, with joint extortion offers reaching $95,000 in collaboration with LAPSUS$ affiliates, per The Hacker News.
Seven Waves Since March
The GitHub breach is the seventh documented wave of TeamPCP’s Mini Shai-Hulud campaign, a self-replicating worm that automates supply chain attacks by stealing CI/CD credentials and using them to publish infected versions of downstream packages. The campaign began on 19 March with the compromise of Trivy, Aqua Security’s vulnerability scanner, via GitHub Actions runner memory extraction, according to Phoenix Security.
Subsequent waves targeted Checkmarx’s KICS security scanner, the LiteLLM AI middleware library (97 million monthly downloads), the Telnyx SDK, and Microsoft’s DurableTask Azure workflow framework. On 11 May, attackers published 84 malicious versions across 42 @tanstack/* npm packages in a coordinated strike that also compromised 170 npm packages and 2 PyPI packages — 404 malicious versions total, per SafeDep. The same day, OpenAI disclosed that two employee devices were compromised, forcing rotation of iOS, macOS, and Windows code-signing certificates.
Zero CVE Coverage, Zero Provenance Alerts
Not a single CVE identifier exists for any package across the entire campaign, despite affecting infrastructure used by millions of developers. Traditional vulnerability scanners failed because the malicious code executed during build time rather than runtime — extracting credentials from CI/CD environments before any application code ran, according to Trend Micro.
SLSA provenance attestations, the industry standard for supply chain integrity, also failed to detect the compromises. In the TanStack attack, malicious versions carried valid GitHub-signed SLSA attestations because the poisoned code was published through legitimate GitHub Actions workflows using stolen OIDC tokens, per ThreatLocker. The attestations confirmed the packages came from the correct repository — they just didn’t detect that the repository itself had been compromised.
Credential Theft at Industrial Scale
The campaign’s payloads target GitHub personal access tokens, npm publishing tokens, AWS/Azure/GCP credentials, SSH keys, Kubernetes secrets, database connection strings, and cryptocurrency wallet keystores. The malware scans developer workstations and CI/CD environments for configuration files, environment variables, and credential stores, exfiltrating everything to command-and-control infrastructure before injecting itself into build pipelines.
“Developer workstations are the number one target in supply chain attacks right now, and this is exactly why,” Mackenzie Jackson of Aikido Security told SecurityWeek. “TeamPCP has compromised Trivy, Checkmarx, Bitwarden CLI, TanStack, and now GitHub, all in 2026, all through developer tooling.”
The attack cascaded beyond direct victims. When LiteLLM was compromised in April, the malware gained access to API credentials for OpenAI, Anthropic, Google, and Amazon routed through the library’s proxy function. Downstream, Mercor — the $10 billion AI data startup supplying training data to Meta, OpenAI, and Anthropic — suffered a four-terabyte exfiltration between 24-27 March, including proprietary training methodology references from Meta, according to VentureBeat.
“A flywheel of supply chain compromises, where each successful breach gives the group more access, more credentials and more opportunities to attack new targets.”
— Ben Read, Strategic Threat Intelligence Lead, Wiz
The Self-Replicating Model
Mini Shai-Hulud operates as a worm, not a one-time implant. Each compromised package becomes a launch point for the next wave. The malware steals publishing credentials, uses them to inject poisoned versions of new packages, and repeats. Within two weeks of the initial Trivy compromise, TeamPCP had moved through five separate package ecosystems: GitHub Actions, Docker Hub, npm, Open VSX, and PyPI, per Help Net Security.
The 19 May DurableTask compromise exemplifies the speed. According to Wiz and Endor Labs, three malicious versions (1.4.1, 1.4.2, and 1.4.3) were pushed to PyPI within a 35-minute window — the official Microsoft Azure Python SDK for the Durable Task workflow framework. The packages were live for hours before detection, during which automated dependency update tools pulled them into thousands of production builds.
The TanStack attack exploited GitHub Actions runners by extracting OIDC tokens from in-memory environment variables during workflow execution. These short-lived tokens, intended to authenticate GitHub Actions to npm without storing long-term credentials, were harvested and used to publish malicious packages with valid provenance attestations — signing the supply chain attack with GitHub’s own cryptographic keys.
What to Watch
GitHub has not disclosed whether TeamPCP’s access extended beyond the 3,800 exfiltrated repositories to code-signing infrastructure or GitHub Actions secrets used by public repositories. If the attackers gained access to organisation-level secrets or deploy keys, the blast radius extends to every open-source project hosted on the platform.
Expect emergency patches from every major package ecosystem. npm, PyPI, RubyGems, and Cargo are implementing stricter publishing controls and mandatory two-factor authentication for maintainers of high-impact packages. SLSA v1.0 is under revision to detect compromised source repositories, not just tampered build outputs.
Enterprise security teams should audit CI/CD pipelines for leaked credentials, rotate all GitHub personal access tokens and npm publishing tokens issued before 20 May, and implement network-level egress filtering to block build environments from exfiltrating data. The attack’s core lesson: Supply Chain Security cannot rely on post-publication scanning when the compromise happens at build time.
TeamPCP remains active. On 20 May, an account linked to the group posted: “GitHub knew for hours, they delayed telling you and they won’t be honest in the future. What an amazing run, it’s been an honor to play around with the cats over the past few months.”