TeamPCP Chaos Crusade: 1,000+ Open-Source Packages Hit

The TeamPCP Chaos Crusade is one of the most destructive cybersecurity events of 2026. In under four months, this threat group has injected malicious code into more than 1,000 software packages. Security researchers are calling it the most disruptive supply chain attack campaign the developer community has ever seen.

The name fits. TeamPCP has publicly stated that causing chaos is the goal. And it has been delivering on that promise since late 2025.

What Is the TeamPCP Chaos Crusade?

The TeamPCP Chaos Crusade started quietly in late 2025. The group first targeted cloud infrastructure, focusing on exposed Docker APIs and Kubernetes clusters. Most of that early activity flew under the radar.

That changed in early 2026.

The TeamPCP Chaos Crusade escalated dramatically in March 2026, operating across five software ecosystems including GitHub Actions, Docker Hub, npm, PyPI, and OpenVSX. What followed shook the entire developer community.

Google attributes the bulk of the TeamPCP Chaos Crusade activity to one core operator. The company traced IP address connections to South Africa, indicating the primary operator was located there during at least some of its attacks. Palo Alto Networks tracks three known handles for the campaign: “ResoluteXBF” as the core operator, “diencracked,” and “Shinigami.”

If the TeamPCP Chaos Crusade is truly run by one primary individual, a focused law enforcement action could shut the whole thing down with a single arrest.

How the TeamPCP Chaos Crusade Worked

The methods behind the TeamPCP Chaos Crusade are not technically new. The crux of these attacks hinges on defensive vulnerabilities the entire software industry has known about for years. The speed and scale of these attacks is what makes it most notable, not necessarily the methodology behind it, because at the core it is really about exploiting third-party trusts, said Kimberly Goody, senior manager at Google Threat Intelligence Group.

Here is how the Trivy attack worked on March 19, 2026. Aqua Security’s service account had been compromised weeks prior. TeamPCP used that access to force-push malicious code to 76 of 77 trivy-action version tags on GitHub. Most developers do not pin their GitHub Actions to a specific cryptographic commit hash. They rely on mutable tags like @v1 or @latest. When their pipelines ran routine vulnerability scans, they automatically pulled the poisoned scanner.

The stealer, a 204-line entrypoint.sh script that self-identified as “TeamPCP Cloud Stealer,” ran a three-stage attack. It read memory from Runner.Worker processes, searched for patterns matching secrets, and extracted GitHub PATs, cloud credentials, and API keys from runner memory.

Using stolen GitHub Personal Access Tokens, the attackers created pull requests containing malicious workflows that executed in the context of targeted repositories, giving access to runtime secrets and environment variables. In AWS, ECS Exec was abused to run Bash commands and Python scripts directly on live containers.

Each stolen credential wave unlocked the next target. The chain expanded through Checkmarx, LiteLLM, Telnyx, and more than 66 npm packages.

Credential theft on this scale is part of a broader 2026 trend. The Coinbase insider attack that led to a $400 million loss this year shows just how much damage stolen access can do once it lands in the wrong hands.

Victims of the TeamPCP Chaos Crusade

The confirmed victim list from the TeamPCP Chaos Crusade is staggering. It includes Checkmarx, Bitwarden, LiteLLM, Telnyx, Mercor AI, PyTorch Lightning, AntV, SAP, GitHub, TanStack, UiPath, MistralAI, Microsoft DurableTask, Red Hat, and Nx Console.

Over 1,000 SaaS environments were impacted, with roughly 500,000 credentials stolen and more than 300 GB of data exfiltrated.

The full collection of packages compromised during the TeamPCP Chaos Crusade accounts for roughly 500 million weekly downloads combined. That number puts into perspective how many organizations were potentially exposed without knowing it.

The GitHub Breach

One of the most alarming moments in the TeamPCP Chaos Crusade came in mid-May 2026.

A malicious build of the Nx Console VS Code extension (v18.95.0, publisher nrwl.angular-console) was published to the Visual Studio Marketplace and was live for approximately 18 minutes before it was pulled. On a GitHub employee endpoint, the extension auto-updated during that window, exfiltrated developer secrets, and was then used to move laterally through GitHub’s internal CI/CD.

The intrusion exfiltrated approximately 3,800 GitHub-internal repositories before containment. OpenAI, Grafana Labs, and Mistral AI were named as downstream victims whose developers had auto-update enabled.

What makes this particularly troubling is that the poisoned extension carried a verified-publisher badge. That badge gave users false confidence that the extension was legitimate.

Read the complete breakdown of how 3,800 internal GitHub repositories were pulled through a single compromised VS Code extension.

The Motivation Behind the TeamPCP Chaos Crusade

The TeamPCP Chaos Crusade is not primarily about financial gain. TeamPCP listed about 4,000 private code repositories on a dark web forum with an asking price of $95,000. That is a small figure for the damage it caused.

Researchers say the group wants notoriety more than ransoms. Goody from Google Threat Intelligence Group put it plainly: “They seem to like to make chaos.”

Nathaniel Quist, manager of cloud threat intelligence at Palo Alto Networks, said: “These actors are more interested in the underground street cred they are gaining and causing as much damage and mayhem as possible.”

Researchers have linked TeamPCP to extortion crews and dark web forums including Lapsus$, ShinyHunters, Vect, DragonForce, and BreachForums. Most partnerships were short-lived and ended in a public feud or otherwise failed to get off the ground.

Stay current with the latest threat actor profiles and incidents through our ongoing cybersecurity coverage at Tomarogroup.

The Shai-Hulud Worm: Open-Sourced to the Public

In May 2026, a new escalation arrived. TeamPCP published the complete source code for its Shai-Hulud worm on two public GitHub repositories.

Security outfit OX spotted a pair of repos on GitHub containing the following text: “Shai-Hulud: Open Sourcing The Carnage. Is it vibe coded? Yes. Does it work? Let results speak. Change keys and C2 as needed. Love – TeamPCP.” TeamPCP chose the MIT License, which allows just about any reuse of the code.

OX’s analysts confirmed the code displayed the same patterns from previous Shai-Hulud attacks. Independent threat actors had already begun modifying it and expanding its reach. Dozens of forks appeared within hours. One added FreeBSD support within a day.

Detection patterns built around TeamPCP-specific code strings will now fire on copycat attacks too. Attribution for future incidents using this code becomes much harder.

For a broader look at the software supply chain threats organizations are actively managing in 2026, this open-sourcing moment is a key inflection point. Anyone with the skills to fork a GitHub repository can now deploy a variant of this attack framework.

AI Widened the Attack Window

AI coding tools played a role in making the damage worse. TeamPCP is capitalizing on new security gaps created by developers’ increasing reliance on AI. “Developers didn’t do a great job of analyzing the security of their open-source dependencies before, but now with AI, there’s in some cases virtually no human in the loop or any kind of sanity check on what these tools are doing,” said Feross Aboukhadijeh, founder and CEO at Socket. “You have agents installing packages that haven’t been vetted. When an attacker gets in, the impact is even broader because there’s less checks and balances to stop it from affecting everybody.”

A representative associated with TeamPCP claimed publicly that AI was used to generate malware components and automate intrusion stages. This claim has not been independently verified and warrants cautious interpretation. However, it is consistent with the observed campaign sophistication and rapid operational tempo.

As AI tools push deeper into modern software development workflows, the reduced human review in automated build pipelines creates an expanding window for exactly this kind of supply chain poisoning.

What Security Teams Should Do Right Now

If your CI/CD pipelines pulled updates between March and late May 2026, treat your environment as potentially compromised until you complete an audit. The CyberScoop investigation published June 18, 2026 provides the most complete public timeline for the campaign.

Here are the specific steps security researchers recommend:

• Pin GitHub Actions to specific commit SHA hashes, not mutable version tags
• Rotate all cloud credentials from CI environments that used Trivy, LiteLLM, or Checkmarx KICS between March and May 2026
• Remove confirmed malicious images: aquasec/trivy:0.69.4, 0.69.5, and 0.69.6
• Audit and re-verify all VS Code extensions that auto-updated during May 2026
• Review AWS Secrets Manager and IAM roles accessible from affected CI environments

Amitai Cohen, head of the attack vector intel team at Wiz, who has been tracking this campaign from the start, said: “You can’t keep existing in a world where you wake up every morning and some super prevalent package is compromised and everybody’s just going to be using it like nothing. We need to start taking this a bit more seriously.”

The core problem is not just technical. The software industry has known for years that the open-source trust model has serious gaps. The TeamPCP Chaos Crusade ran through those gaps faster than anyone was prepared to handle.

For further technical indicators of compromise and a full attribution breakdown of the Shai-Hulud framework, The Register’s reporting on the open-sourcing of the worm is worth reading directly.