TeamPCP Compromises 170+ npm Packages in Coordinated AI Infrastructure Attack
Supply chain assault targets Mistral AI, TanStack, UiPath, and OpenSearch in first npm worm producing valid security provenance
A coordinated supply chain attack executed May 11 compromised 404 malicious package versions across 170+ npm packages and 2 PyPI packages, targeting AI infrastructure and DevOps tooling with backdoors that produce valid security attestations.
The campaign, attributed to the TeamPCP threat actor, struck between 19:20-19:26 UTC on May 11, affecting packages from Mistral AI, TanStack, UiPath, OpenSearch, and Guardrails AI. The attack represents the first observed npm worm capable of generating valid SLSA Build Level 3 provenance—cryptographic proof of origin that typically verifies package integrity—turning security infrastructure into a distribution mechanism for malicious code.
TanStack’s router ecosystem sustained the heaviest impact: 42 packages compromised across 84 malicious versions, with the core @tanstack/react-router package receiving 12.7 million weekly downloads. The mistralai PyPI package version 2.4.6 contained a backdoor downloading payloads from hardcoded IP 83.142.209.194 on Linux import. OpenSearch’s main package, with 1.3 million weekly downloads, saw four versions poisoned. UiPath suffered 65 compromised packages across its entire @uipath namespace.
404
170+
2
6 minutes
9.6 Critical
Three-Month Campaign Escalation
The May 11 attack concluded a deliberate escalation that began March 19 when TeamPCP compromised Aqua Security’s Trivy Vulnerability scanner through misconfigured GitHub Actions. According to Datadog Security Labs, the cascade proceeded as follows: Checkmarx KICS fell March 23, LiteLLM March 24, Telnyx March 27, SAP packages April 29, PyTorch Lightning April 30.
Each compromise harvested credentials that fueled subsequent attacks. The group’s pcpcat.py tooling—first observed in artifacts from December 2025—extracted npm tokens, GitHub Actions OIDC tokens, AWS IMDSv2 credentials, GCP tokens, Azure credentials, Kubernetes service accounts, HashiCorp Vault access, SSH keys, and password vault data from Wiz. By May 3, over 1,800 developer repositories contained stolen credentials.
According to Socket, the pattern was clear: “The attack closely resembles the lightning@2.6.2 PyPI attack from earlier today, as well as the TeamPCP-linked supply chain campaign we reported yesterday affecting SAP CAP and Cloud MTA npm packages.” The firm later assessed: “After two solid weeks of virtually nonstop attacks, the tempo looks deliberate and sustained rather than opportunistic.”
Breaking Provenance as Security
CVE-2026-45321, assigned CVSS 9.6 critical severity, marks the first npm worm producing valid SLSA Build Level 3 provenance attestations. The malicious TanStack packages carried cryptographic proof verifying their origin and build process—traditionally the gold standard for supply chain integrity.
The attack exploited GitHub Actions’ pull_request_target workflow pattern, which grants write access to pull requests from untrusted contributors. According to Snyk, the mechanism involved cache poisoning combined with runtime OIDC token extraction from process memory via /proc/pid/maps and /proc/pid/mem, allowing the attacker to sign packages with legitimate project credentials.
npm packages deployed preinstall scripts downloading the Bun runtime. PyPI packages used a different vector: a Python dropper downloaded transformers.pyz from git-tanstack.com (a spoofed domain displaying “With Love TeamCP”) and executed it with python3. Both delivery methods targeted the same credential harvesting objectives but adapted to each ecosystem’s execution model.
SLSA (Supply-chain Levels for Software Artifacts) Build Level 3 requires provenance generation from a hardened build platform with guarantees about the build process and its inputs. TeamPCP’s ability to produce valid Level 3 attestations for malicious packages demonstrates that cryptographic verification of origin does not guarantee code integrity when build infrastructure itself is compromised during the signing process.
Detection and Response Gaps
Socket’s AI scanner detected all malicious TanStack versions within six minutes of publication, with incident threads opening approximately 20 minutes after first publish. Yet the coordinated nature of the attack—404 versions across 172 packages published in a six-minute window—overwhelmed manual review processes. By the time PyPI quarantined mistralai 2.4.6 and npm maintainers began package takedowns, the worm had already begun self-propagating through CI/CD infrastructure using credentials stolen from earlier victims.
According to StepSecurity, “The worm is actively propagating through CI/CD infrastructure stolen from yesterday’s victims.” The self-replicating characteristic—dubbed “Mini Shai-Hulud” after the sandworms in Frank Herbert’s Dune—enables each compromised developer environment to become a launch point for additional package compromises.
The targeting strategy reveals systematic planning. According to SafeDep, “The inclusion of AI/ML packages (Mistral AI SDK on both npm and PyPI, guardrails-ai) alongside web framework packages (TanStack) and enterprise automation tooling (UiPath) suggests the attacker is targeting the broadest possible developer population rather than a specific technology vertical.”
- AI model deployment: Mistral AI SDK (npm + PyPI), Guardrails AI
- Web frameworks: TanStack router (42 packages, 12.7M weekly downloads)
- Enterprise automation: UiPath (65 packages across @uipath namespace)
- Search infrastructure: OpenSearch (1.3M weekly downloads, 4 versions)
- Security tooling: Trivy, Checkmarx KICS (initial campaign vector)
Attribution and Capability Assessment
TeamPCP publicly claimed credit for the operation. The group—also tracked as DeadCatx3, PCPcat, ShellForce, and CipherForce—evolved from ransomware and cryptomining operations in early 2026 into focused supply chain compromise. According to Palo Alto Networks Unit 42, the group demonstrated multi-stage payload architecture and SDK-squatting tactics across February and March 2026.
The technical sophistication demonstrated in the SLSA provenance bypass, combined with the operational discipline of a three-month credential harvesting campaign, positions TeamPCP as a Tier 1 supply chain threat actor. According to Socket, “That makes this especially concerning because one compromised dependency can become a bridge into additional package ecosystems.”
What to Watch
As of May 12, package registries have quarantined known malicious versions, but the self-propagating worm mechanism means additional compromised packages are likely being discovered hourly. Organisations should audit dependency trees for affected packages—The CyberSec Guru maintains a live list of 373 malicious package-version entries across 169 distinct npm package names.
The provenance bypass fundamentally undermines trust in cryptographic supply chain verification. If valid SLSA Level 3 attestations can be produced for malicious code through build-time compromise, the security community needs alternative integrity mechanisms that verify behaviour rather than origin. Developer credential rotation is insufficient—the stolen tokens have already seeded new attack infrastructure.
Monitor for secondary waves. TeamPCP’s demonstrated capability to harvest credentials, wait weeks, then execute coordinated multi-ecosystem attacks suggests the May 11 operation may be a template rather than a finale. Any organisation running CI/CD infrastructure that pulled affected packages between March 19 and May 11 should assume credential compromise and rotate tokens, service accounts, and API keys across all cloud providers and secret management systems.