In late April 2026, a new worm began quietly spreading through the same compromised developer environments that TeamPCP had spent months infecting. It removed TeamPCP’s malware. Then it installed itself instead — and started stealing the exact same credentials.
Someone was hunting them.
TL;DR
- TeamPCP has operated since September 2025, compromising npm, PyPI, GitHub Actions, and Docker images at scale — 500,000+ credentials stolen across hundreds of packages
- The group operates under multiple aliases and has a documented Telegram presence, BreachForums posts, and a ransomware partnership that narrows geographic attribution
- They have made consistent, trackable OPSEC mistakes: hardcoded strings, reused infrastructure, port 666 on every operation, and blockchain records they cannot delete
- A counter-worm called PCPJack — likely built by a former insider — is now hunting their victims, creating a supply chain ecosystem with two competing criminal operations
- This article maps their known digital fingerprints and explains how investigators build attribution cases against groups like this
Why This Matters
If you run any JavaScript or Python projects, you have almost certainly used a package that TeamPCP has attempted to compromise. Their May 2026 campaign hit packages with a combined 200 million weekly downloads — TanStack, Mistral AI, Guardrails AI, and over 170 others. This is not an APT going after one specific target. It is a financially motivated group with automation, ambition, and increasingly poor operational security.
Understanding how they operate — and where they slip up — is how groups like this eventually get caught.
Who Is TeamPCP
TeamPCP emerged in September 2025 as a cloud-focused cybercrime group specializing in supply chain attacks against developer infrastructure. They target CI/CD pipelines, package registries, and developer toolchains — not end users directly, but the infrastructure that serves millions of developers.
The group operates under several personas:
| Alias | Context |
|---|---|
| PCPcat | Primary BreachForums identity |
| Persy_PCP | Telegram channel handle |
| ShellForce | Early campaign branding |
| DeadCatx3 | Forum posts, early activity |
| CipherForce | Merged partner operation |
Their Telegram channel @team_pcp grew from roughly 700 subscribers in early February 2026 to over 1,180 by late March — driven largely by media coverage of their supply chain operations. This is not a group hiding in the shadows. They court attention.
Partnership Structure
In March 2026, TeamPCP formally announced a partnership with Vect Ransomware Group, a Russian-speaking ransomware-as-a-service operation. The deal structure: 80–88% profit share for TeamPCP affiliates who deploy Vect ransomware against organizations whose credentials they had already stolen.
This partnership matters for attribution. Russian-speaking RaaS operations typically restrict membership to trusted Eastern European circles. A formal, profit-structured deal with an explicit percentage split indicates a relationship built on real trust — not a one-off transaction. It narrows the geographic and operational profile of the group’s core members.
The Escalation Timeline
TeamPCP did not appear fully formed. Their capability grew with each campaign, and the pattern of escalation reveals deliberate operational learning:
- September 2025 — First known activity
- December 2025 — React2Shell campaign (CVE-2025-55182). This is when they became publicly known.
- February 2026 — Aqua Security’s Trivy container scanner compromised. The attack vector: incomplete credential rotation after an earlier breach. They kept access the victim thought had been closed.
- March 2026 — LiteLLM (~97 million monthly downloads) and Checkmarx KICS compromised within the same week. Five software ecosystems hit in five days.
- April 2026 — Checkmarx VS Code extensions and GitHub Actions workflows. Credential reuse from the March breach — Checkmarx had rotated some credentials, not all.
- May 11, 2026 — Mini Shai-Hulud. Over 400 malicious package versions published across 172 packages in five hours. 200 million weekly download exposure.
- May 11, 2026 — Checkmarx Jenkins AST Plugin. The plugin’s GitHub repository was renamed to “Checkmarx-Fully-Hacked-by-TeamPCP-and-Their-Customers-Should-Cancel-Now”, with a commit message reading: “Checkmarx fails to rotate secrets again. with love – TeamPCP.”
That last move was not operational. It was a statement. Groups that taunt victims in commit messages are no longer purely rational actors — they are performing for an audience. This behavioral shift is a profiling indicator.
The $1,000 Contest and What It Reveals
On BreachForums, TeamPCP announced a competition: compromise open-source packages using their Shai-Hulud tool, submit proof of access, earn Monero. Scoring is based on package download counts — targeting popular packages yields more points.
One thousand dollars is not a serious payout for supply chain access. A single set of cloud credentials from a company with a production Kubernetes cluster can be worth orders of magnitude more. The money is not the point.
The contest does three things:
- Expands the attacker pool — more compromises, more credentials flowing into TeamPCP’s collection pipeline
- Creates attribution noise — when multiple actors use the same tool across different targets, forensic teams must separate campaigns that look identical
- Signals recruitment — operators who perform well in the contest are candidate hires for future operations
Publishing Shai-Hulud as open-source on BreachForums was a separate but related move. Once a tool is public, every future deployment of it cannot be automatically attributed to TeamPCP. Plausible deniability, at scale.
Where They Are Leaking
Despite the operational sophistication, TeamPCP has made consistent, trackable mistakes across every campaign. These are not minor slips — several are the kind of artifacts that prosecution exhibits are built from.
Infrastructure Patterns
Every major TeamPCP exploitation operation has used port 666 as a C2 port. This is consistent across campaigns going back to their earliest activity. It is the kind of operational habit that emerges when one person sets up infrastructure and never revisits the decision.
Known C2 infrastructure includes eight IPs that have appeared across multiple campaigns:
23.142.184.12945.148.10.21263.251.162.1183.142.209.1183.142.209.203195.5.171.242209.34.235.18212.71.124.188Three self-signed TLS certificates have been fingerprinted across campaign waves — certificates that can be matched against historical passive DNS and internet scan databases like Shodan or Censys.
Hardcoded Strings
The Shai-Hulud malware family contains unique strings that appear across deployments regardless of who is running the tool:
- PBKDF2-SHA256 encryption salt:
svksjrhjkcejg - GitHub commit author email:
claude@users.noreply.github.com - Dead man’s switch commit message:
IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner - C2 fallback discovery keyword:
FIRESCALE - Persistent filenames:
hangup.wav,ringtone.wav,sysmon.py - Service names:
gh-token-monitor.service,pgsql-monitor.service - PyPI repository description:
PUSH UR T3MPRR
Each of these strings is a YARA rule waiting to be written.
The Blockchain Problem
TeamPCP used Internet Computer Protocol (ICP) canisters as part of their C2 infrastructure — a decentralized hosting approach intended to make takedown difficult. The logic is sound: you cannot send a law enforcement request to take down a canister the way you can send one to a hosting provider.
But blockchain records are immutable. Every deployment, every update, every transaction involving that canister is permanently recorded on the ICP chain. The obfuscation of hosting is traded for an indelible audit trail. Investigators with blockchain analysis tools can map canister activity to wallet addresses, and wallet addresses can sometimes be linked to exchange accounts — accounts that required KYC.
Typosquatted Domains Reveal Targeting
The domains TeamPCP registered for lookalike infrastructure tell investigators exactly who they were targeting before an attack becomes public:
aquasecurtiy[.]org→ Aqua Security (compromised February 2026)checkmarx[.]zone→ Checkmarx (March and May 2026)models.litellm[.]cloud→ LiteLLM (March 2026)
Domain registration records, WHOIS history, and registration timing can be compared against attack timelines. Domains registered days before a compromise begin to look like planning artifacts.
PCPJack: A Hunter Enters the Supply Chain
In late April 2026, security researchers at SentinelOne identified a new self-propagating framework operating in the same environments TeamPCP had been compromising for months. They named it PCPJack.
PCPJack’s initial behavior: find TeamPCP infections, remove them, replace them with itself.
Its credential theft scope is nearly identical to TeamPCP’s — SSH keys, cryptocurrency wallets, AWS and Kubernetes credentials, GitHub tokens, Gmail, Office 365, Slack, WordPress. It propagates using the same vulnerability classes: Next.js, React2Shell, WordPress plugins, CentOS Web Panel.
SentinelOne’s assessment is that PCPJack was likely built by a former TeamPCP operator. The familiarity with TeamPCP’s tooling is too specific for an outsider — the removal routine targets artifacts that were not publicly documented.
PCPJack’s OPSEC Failure
PCPJack’s operator made a significant mistake. The framework encrypts all stolen data before exfiltration — except Telegram credentials and references to their own infrastructure. These are transmitted in plaintext.
This is the inverse of the expected pattern. An operator who builds a sophisticated self-propagating framework with encrypted exfiltration presumably understands why encryption matters. Leaving Telegram credentials unencrypted suggests either a rushed implementation or, more interestingly, that those Telegram accounts are disposable infrastructure the operator does not consider sensitive.
Either way, it is an attribution handle. Investigators who gain access to PCPJack network traffic have plaintext Telegram identifiers pointing at the operator.
How Attribution Cases Are Built
Law enforcement and threat intelligence teams do not identify threat actors from a single artifact. Attribution is a convergence of evidence across multiple independent channels:
Forum OSINT maps persona activity — when posts were made, writing patterns, timezone-consistent posting windows, which forums a persona trusts enough to post operational details on. TeamPCP’s public Telegram channels document their own operational timeline better than most incident reports.
Technical attribution ties campaigns together through consistent artifacts: the port 666 pattern, the shared PBKDF2 salt, the same eight C2 IPs appearing across campaigns separated by months. Each reuse reduces the probability that campaigns are unrelated.
Infrastructure pivoting traces shared hosting, certificate fingerprints, and ASN patterns. A server used for C2 in February that appeared in a domain registration in January links pre-attack planning to post-attack infrastructure.
Credential reuse as evidence — TeamPCP’s May 2026 Checkmarx Jenkins compromise used credentials stolen during the March 2026 breach. This is documented in Checkmarx’s own incident analysis. That credential reuse timeline is evidence of the same actor, not a copycat.
Behavioral profiling tracks the shift from quiet credential theft to public taunting. The repo rename and “with love – TeamPCP” message are the behavior of operators who feel untouchable. Groups that feel untouchable tend to take larger risks. Larger risks create larger attack surfaces for investigators.
Hunting Strings for Defenders
If you run a SIEM, EDR, or security monitoring stack, these indicators are worth implementing as detection rules today:
| Type | Indicator | Notes |
|---|---|---|
| Crypto salt | svksjrhjkcejg | PBKDF2 key derivation, unique to Shai-Hulud family |
| Commit email | claude@users.noreply.github.com | Used in malicious GitHub commits |
| Commit string | IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner | Dead man’s switch marker |
| C2 keyword | FIRESCALE | GitHub commit message dead-drop |
| Filename | hangup.wav, ringtone.wav, sysmon.py | Stage payloads |
| Service name | gh-token-monitor.service | Linux persistence |
| Service name | pgsql-monitor.service | Masqueraded PostgreSQL monitor |
| Repo description | Shai-Hulud: Here We Go Again | Campaign marker |
| Network port | 666/tcp outbound | Consistent across all campaigns |
| Exfil endpoint | seed1/2/3.getsession.org | Session/Oxen C2 seed nodes |
| Domain pattern | aquasecurtiy[.]org, checkmarx[.]zone | Typosquats |
# Quick grep for Shai-Hulud artifacts in a compromised repositorygrep -r "svksjrhjkcejg\|FIRESCALE\|IfYouRevokeThis\|gh-token-monitor\|hangup\.wav" . 2>/dev/nullFor GitHub Actions environments specifically, audit any workflow that calls external scripts during release steps. The Mini Shai-Hulud campaign poisoned build caches and rode trusted release workflows — the malicious code ran with legitimate signing privileges.
What This Group Tells Us About the Threat Landscape
TeamPCP is not the first financially motivated group to target open-source package ecosystems, and they will not be the last. What makes their operations notable is the combination of automation (400+ malicious packages in five hours), escalating provocation, and a willingness to publish their own tools publicly.
The $1K contest is the most direct signal of where the threat is heading: supply chain attacks as a service, with crowdsourced compromises feeding into a centralized credential monetization pipeline. The actual attackers do not need to be sophisticated — they just need to follow the Shai-Hulud instructions and submit proof.
That model scales. TeamPCP’s core team may be small, but their attack surface is every developer in the world running npm install.
The PCPJack development is a different kind of signal — that the supply chain ecosystem is now contested criminal territory. Two groups, using near-identical tooling, fighting over the same compromised developer environments. For defenders, the practical implication is that clean-up is not sufficient. You need to verify that whatever removed the first infection was not something worse.
A note to TeamPCP: Port 666 on every operation. The same eight IPs across six months of campaigns. Immutable blockchain records you cannot delete. Someone inside your own operation who knows your tooling well enough to write a removal script. And now a $1,000 contest that put your name on a few hundred more forensic reports.
The clock is ticking — and not just on your dead man’s switch.
Related Posts
- Shai-Hulud: The Open-Source GitHub Actions Token Harvester That Just Went Public — deep technical breakdown of the Shai-Hulud tool, CI/CD attack chain, and detection
- The Package You Trusted: How the Axios Supply Chain Attack Happened — how TeamPCP compromised a package with 400 million monthly downloads
- GitHub Actions Cache Poisoning and Supply Chain Attacks — the attack pattern TeamPCP exploited repeatedly
Sources
- Unit 42 — Weaponizing the Protectors: TeamPCP’s Multi-Stage Supply Chain Attack
- JFrog Security Research — Shai-Hulud: Here We Go Again
- Wiz Blog — Mini Shai-Hulud Strikes Again: TanStack + more npm Packages Compromised
- The Hacker News — TeamPCP Compromises Checkmarx Jenkins AST Plugin
- SecurityWeek — PCPJack Worm Removes TeamPCP Infections, Steals Credentials
- Recorded Future — Your Supply Chain Breach Is Someone Else’s Payday
- GBHackers — TeamPCP, BreachForums Launch $1K Supply-Chain Attack Contest
- Trend Micro — Analyzing TeamPCP’s Supply Chain Attacks: Checkmarx KICS and elementary-data
- Hackread — TeamPCP Used Mini Shai-Hulud Worm to Poison Over 400 npm and PyPI Packages
- CyberScoop — Mini Shai-Hulud malware compromises hundreds of open-source packages