In March 2026 we covered a supply chain campaign run by a threat actor known as TeamPCP that turned trusted developer tools into weapons. It started with the Trivy vulnerability scanner, cascaded into LiteLLM and the Telnyx Python SDK, and ran in parallel with the axios npm compromise. The pattern was simple and devastating: steal credentials from one trusted tool, use them to compromise the next, repeat.
That campaign did not end in March. It got worse.
Over the following three months, TeamPCP escalated from compromising other people’s tools to breaching GitHub itself, poisoning a VS Code extension installed on millions of developer machines, and then open-sourcing its own attack framework so that anyone could run a structurally identical campaign. The result was the largest single-hour supply chain event on record and a wave of copycat worms that are still spreading as of late June.
This post picks up where the March coverage left off. If you read the earlier articles, this is the sequel. If you did not, the short version is this: your IDE, your CI/CD pipeline, and now your AI coding assistant are all part of your attack surface.
The campaign at a glance
The campaign has been assigned CVE-2026-45321 (CVSS 9.6) as the worm tracking identifier. The threat actor is tracked under several names — UNC6780, PCPcat, ShellForce, DeadCatx3, and CipherForce — but TeamPCP is the label they chose for themselves. Across spring 2026, the campaign’s confirmed footprint exceeded 518 million cumulative downloads of affected packages.
Here is the high-level timeline before we go deep on each phase:
| Date | Event | Ecosystem |
|---|---|---|
| Mar 19–31 | Trivy, npm (CanisterWorm), Checkmarx, LiteLLM, Telnyx, axios | Multi |
| Apr (late) | Campaign resumes after ~26-day pause: Bitwarden CLI, Checkmarx KICS again, xinference | npm / PyPI / Actions |
| Apr 28 | A rival worm, PCPJack, appears and evicts TeamPCP tooling | npm |
| May 11 | TanStack compromise steals an Nx contributor’s GitHub CLI token | npm |
| May 12 | TeamPCP open-sources the “Mini Shai-Hulud” worm under MIT license | — |
| May 18 | Nx Console VS Code extension trojanized; targets AI assistant credentials | VS Marketplace / OpenVSX |
| May 19 | GitHub internal breach — ~3,800 repos exfiltrated; Microsoft durabletask PyPI compromised | GitHub / PyPI |
| May 27–28 | CISA adds the campaign to its Known Exploited Vulnerabilities catalog and issues an advisory | — |
| Jun 1 | Miasma worm hits 32 @redhat-cloud-services npm packages | npm |
| Jun 3 | Phantom Gyp variant hits 57 more packages including @vapi-ai/server-sdk | npm |
| Jun 24 | Leo Platform compromised via 20 malicious packages | npm |
April: the campaign resumes, and a rival appears
After the March barrage, TeamPCP went quiet for roughly 26 days. The pause was not a retreat. When the campaign resumed in late April, it returned to familiar territory — developer security tooling — hitting the Bitwarden CLI, Checkmarx KICS again, and the xinference package on PyPI. The playbook was unchanged: harvest credentials from CI/CD environments running the compromised tool, then pivot to whatever those credentials unlocked.
The more interesting April development was competitive. On April 28, SentinelLABS identified a rival worm called PCPJack — a separate piece of malware that actively evicts TeamPCP’s tooling from a compromised host and installs its own credential harvester in its place. When two threat actors are fighting each other for control of the same poisoned developer machines, the underlying ecosystem problem has clearly outgrown any single group.
May: the month everything escalated
May 11 — a stolen token, sitting and waiting
The pivotal compromise of the entire campaign did not look dramatic when it happened. On May 11, a credential-stealing payload that arrived through a TanStack supply chain compromise (@tanstack/zod-adapter@1.166.15) silently exfiltrated the GitHub CLI OAuth token belonging to a core contributor of the popular Nx tooling project.
Nothing visible happened for a week. The attacker simply held the token and used it to move quietly inside Nx’s GitHub repositories — for seven days without detection. This dwell time is the part defenders consistently underestimate. The breach is rarely the loud event. It is the quiet week that follows, while a stolen token is used to stage the next move.
May 12 — TeamPCP open-sources its weapon
In the middle of that quiet week, TeamPCP did something genuinely new in the supply chain threat landscape. On May 12, the group published the complete source code of its “Mini Shai-Hulud” worm framework to GitHub under an MIT license, with the message “Shai-Hulud: Open Sourcing The Carnage.”
The release included the CI cache-poisoning scripts, the OIDC token extractor, and the credential stealer with its full propagation logic. They paired it with a $1,000 contest on BreachForums for the largest derivative attack and announced credential-monetization partnerships with other criminal groups.
This is the supply chain equivalent of publishing a working, weaponized exploit framework. It lowered the barrier to entry to almost nothing. Any operator — regardless of skill — could now run a structurally identical campaign. As we will see in June, they did.
May 18 — Nx Console, and the first AI-credential heist
With the stolen contributor token, the attacker finally moved. On May 18 at 12:36 UTC, they published a malicious version of the Nx Console VS Code extension (nrwl.angular-console v18.95.0) to the Visual Studio Marketplace. The Nx team detected the rogue publish and pulled it at 12:47 UTC — a window of roughly 11 minutes on the Marketplace and about 36 minutes on OpenVSX.
Eleven minutes sounds harmless. It was not. The extension has roughly 2.2 million installations, and VS Code’s automatic update behavior means exposure is driven by install base size, not by how long the malicious version is live. Within two days, Nx’s own analytics registered about 6,000 activations of the malicious version — including one from the Cursor editor.
The payload harvested credentials across an unusually broad surface:
- GitHub —
ghp_/gho_/ghs_tokens, Actions secrets, and tokens scraped from process memory - npm —
.npmrctokens and OIDC token exchange - AWS — IMDS/ECS metadata, Secrets Manager, SSM, and Web Identity tokens
- HashiCorp Vault —
~/.vault-tokenand/etc/vault/token - Kubernetes — service account tokens
- 1Password —
opCLI vault contents, if a session was active - AI coding assistants —
~/.claude/settings.json, the configuration file for Anthropic’s Claude Code
That last item is the one to pay attention to. This is one of the first documented supply chain attacks explicitly designed to steal AI coding assistant credentials. Claude Code configuration files can contain API keys, project system prompts, and tool permission settings. In an enterprise deployment, those settings may represent broad read-write access to an organization’s codebase through an agentic AI workflow. TeamPCP did not stumble onto this file while sweeping for generic secrets — they mapped it deliberately. AI assistant credentials are now considered primary loot, alongside cloud keys and secrets-manager tokens.
The malware also installed persistence (a script dropped at ~/.local/share/kitty/cat.py with associated launch hooks) and exfiltrated data over HTTPS, the GitHub API, and DNS tunneling simultaneously to make blocking harder.
May 19 — GitHub itself, and a Microsoft package
The Nx Console compromise was not the goal. It was the delivery mechanism. One of the ~6,000 machines that activated the malicious extension belonged to a GitHub employee. Using credentials harvested from that endpoint, TeamPCP pivoted into GitHub’s internal infrastructure and exfiltrated approximately 3,800 internal source code repositories.
The same day produced two more records. First, Microsoft’s durabletask Python SDK — the official SDK for Azure Durable Functions, with over 400,000 downloads per month — was compromised on PyPI. Three malicious versions (1.4.1, 1.4.2, 1.4.3) were published in a 35-minute window using a compromised contributor account. A 14-line dropper pulled down the credential stealer and installed persistence through fake systemd services and lateral movement via SSH and kubectl exec. In specific geographies, the payload executed a destructive rm -rf /* wiper — while skipping any system with a Russian locale, a CIS-exemption pattern consistent with Eastern European operators.
Second, security researchers at Wiz and StepSecurity described May 19 as the largest single-hour supply chain event on record: more than 300 malicious versions across 323 packages published in a single hour, tied to the same t.m-kosche.com command-and-control infrastructure used in the TanStack, Mistral AI, LiteLLM, and AntV compromises.
May 27–28 — the federal response
The federal response that had been conspicuously absent through March finally arrived. On May 27, CISA added the campaign’s primary tracking vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. On May 28, it issued its first standalone advisory naming the Nx Console and GitHub repository compromises specifically.
June: the worm era
Open-sourcing the framework on May 12 had consequences. By June, the campaign was no longer about a single group extorting named victims. It had become ecosystem-scale worming, driven by the public toolkit. Vendors trace the June malware to the TeamPCP lineage but now explicitly caution that a copycat using the leaked code cannot be ruled out.
June 1 — Miasma and the SLSA-attested compromise
On June 1, a credential-stealing worm that Wiz named Miasma compromised at least 32 packages (across roughly 90 versions) published under the @redhat-cloud-services npm scope, with a combined footprint of about 80,000 weekly downloads.
The clever and concerning detail: the attacker used a compromised Red Hat employee GitHub account to inject malicious GitHub Actions workflows into RedHat repositories. Because the malicious releases were built and published by Red Hat’s genuine pipeline, they carried valid SLSA provenance attestations. The build system honestly attested that it ran Red Hat code — code that happened to contain attacker-injected steps. Provenance proved the artifact’s origin, but it could not prove the origin was trustworthy.
The stolen Red Hat credential had a backstory that should worry every security team. Dark-web monitoring detected it in infostealer logs on April 13, with a second sighting on May 15. It sat in underground markets for roughly seven weeks before being weaponized on June 1. This is the developer credential economy in action: credentials are stolen by one actor, sold, and weaponized by another, weeks later.
The Miasma payload used a preinstall script, added new cloud-identity collectors for GCP and Azure, and bloated its obfuscated index.js from roughly 200 KB to about 4.29 MB.
June 3 — Phantom Gyp evades the defenders
Defenders had spent months building monitoring for preinstall and postinstall lifecycle scripts — the classic npm execution vectors. So on June 3, the worm changed tactics.
The Phantom Gyp variant compromised 57 packages across 286+ malicious versions in under two hours. Instead of a lifecycle script, it abused a 157-byte binding.gyp file to trigger code execution during npm install, sidestepping nearly all of the install-script monitoring defenders had deployed. The largest victim was @vapi-ai/server-sdk, the official Vapi.ai voice-AI server SDK with over 408,000 monthly downloads, hit first at 23:30 UTC. An hour later, the worm published malicious versions of more than 50 packages belonging to a single maintainer, including ai-sdk-ollama (120,000+ monthly downloads).
The pattern is worth internalizing: defenders adapted to one execution vector, and the attackers simply moved to another that achieved the same result. Install-time code execution in npm is not a single hole to patch. It is a category of risk.
Through late June
The worm activity continued. On June 5, a previously compromised contributor account pushed malicious commits to Microsoft’s Azure/durabletask repository, forcing GitHub to disable 73 repositories in a 105-second automated sweep. On June 24, the Leo Platform was hit via 20 malicious packages. As of this writing, the ecosystem-scale worming has not stopped.
Am I affected?
Work through these checks for each ecosystem the campaign touched.
Check for the Nx Console extension
Version 18.95.0 exactly is the only compromised release. 18.100.0 and later are safe.
# List installed VS Code / Cursor extensions and versions
code --list-extensions --show-versions | grep -i angular-console
cursor --list-extensions --show-versions 2>/dev/null | grep -i angular-console
If you ever had nrwl.angular-console@18.95.0 installed with auto-update enabled around May 18, treat the machine as compromised regardless of forensic evidence, then remediate and rotate.
Check for persistence artifacts
# The Nx Console persistence script
ls -la ~/.local/share/kitty/cat.py 2>/dev/null
# Malicious hooks injected into AI assistant / editor config
grep -R "curl\|wget\|base64 -d\|child_process" ~/.claude/settings.json .vscode/tasks.json 2>/dev/null
Check your lockfiles for the worm waves
# Red Hat scope (Miasma, June 1)
grep -E "@redhat-cloud-services" package-lock.json pnpm-lock.yaml yarn.lock 2>/dev/null
# Phantom Gyp wave (June 3)
grep -E "@vapi-ai/server-sdk|ai-sdk-ollama" package-lock.json pnpm-lock.yaml yarn.lock 2>/dev/null
# Any package shipping an unexpected binding.gyp is worth a closer look
find node_modules -name binding.gyp -size -512c 2>/dev/null
Check for the compromised Microsoft PyPI package
pip show durabletask 2>/dev/null | grep -i version
# Affected: 1.4.1, 1.4.2, 1.4.3 — upgrade to a clean, later release
What to do right now
If any environment touched a compromised artifact, treat every credential reachable from that environment as exposed.
-
Rotate AI assistant credentials. This is new, and it is easy to forget. Rotate Claude Code / Cursor API keys, review
~/.claude/settings.jsonfor unexpected tool permissions or hooks, and revoke any AI-platform tokens that lived on an affected machine. -
Rotate everything else. GitHub PATs and OAuth tokens, npm tokens, AWS/GCP/Azure credentials, Kubernetes service account tokens, Vault tokens, SSH keys, and 1Password sessions. Assume each was harvested.
-
Pin GitHub Actions to commit SHAs, not tags. A tag can be force-pushed to a malicious commit; a full commit SHA cannot. This single control would have blunted several stages of the campaign.
-
Do not trust provenance alone. The Miasma wave produced artifacts with valid SLSA attestations because the genuine pipeline ran attacker-injected code. Provenance answers “where did this come from,” not “is this safe.” You still need to verify what the pipeline actually did.
-
Block install-time execution where you can. Use
npm ci --ignore-scriptsin CI, and recognize that lifecycle-script monitoring is no longer sufficient on its own — the Phantom Gyp technique proved attackers will route around it viabinding.gyp. -
Enforce a minimum release age for dependencies. Several victims were saved (or would have been) by refusing to auto-adopt brand-new versions. Note the cautionary tale: Nx had configured a
minimum-release-agesafeguard, but an older package manager version silently ignored the unknown config key rather than enforcing it. Verify your tooling actually honors the setting. -
Treat your IDE and its extensions as production infrastructure. Pin extension versions, disable auto-update on high-privilege machines, and apply the same scrutiny to a 2.2-million-install extension that you would to any other dependency.
Why this keeps working
Every stage of this campaign exploited the same underlying truth: the tools we trust to make development safer run with privileged access to everything else. A vulnerability scanner reads your code and your secrets. A CI/CD pipeline holds your publish tokens. An IDE extension runs with your user’s full permissions. And now an AI coding assistant holds keys and broad, standing access to your repositories.
Scanners and signature databases tell you which versions are known to be bad. They are essential, and the StepSecurity-style real-time databases that flagged these packages within minutes saved real organizations. But signatures are inherently backward-looking — they catch what has already been identified.
The harder question is forward-looking: if an attacker lands a stolen token in your CI/CD environment or your developer’s IDE today, what can they actually reach? That is an exploitability question, and it is exactly what autonomous, agentic AI penetration testing is built to answer. Instead of listing which dependencies might be vulnerable, Revaizor validates the real lateral movement paths a compromised credential opens — across your pipeline, your cloud, and your secrets — so you find the blast radius before an attacker does. This is the difference we covered in detail in AI pentesting vs. vulnerability scanners: scanners find potential issues; continuous validation proves real ones.
The TeamPCP campaign is the clearest argument yet that supply chain security cannot stop at “is this package on a blocklist.” It has to extend to “if this trusted thing is compromised, what happens next.” Answering that, continuously, is the work.
FAQ
Is the June worm activity still TeamPCP, or a copycat?
Both, effectively. Vendors trace the June malware (Miasma, Phantom Gyp) to the TeamPCP lineage based on shared infrastructure and payload patterns. But because TeamPCP open-sourced its worm framework on May 12, security researchers explicitly caution that copycats using the public toolkit cannot be ruled out. The practical answer for defenders is that attribution matters less than exposure — the technique is now widely available.
What is the single most important version to check for?
Nx Console nrwl.angular-console version 18.95.0. It was the delivery mechanism for the GitHub breach and the first AI-credential heist. If you had it installed with auto-update around May 18, remediate and rotate. Safe version: 18.100.0 or later.
Why does stealing ~/.claude/settings.json matter?
Claude Code configuration files can contain API keys, project system prompts, and tool permission settings. In enterprise deployments, an AI coding assistant may have broad read-write access to your codebase. Stealing its configuration can hand an attacker a standing, privileged foothold into your development workflow — not just a single API key.
What is “Phantom Gyp”?
A technique that abuses a small binding.gyp file (about 157 bytes) to trigger code execution during npm install. It matters because it bypasses preinstall/postinstall script monitoring — the defenses most teams deployed after earlier waves. It is a reminder that install-time execution in npm has multiple vectors, not one.
We use SLSA provenance. Aren’t we protected?
Not by itself. In the June 1 Miasma wave, malicious releases carried valid SLSA attestations because the genuine pipeline executed attacker-injected workflow steps. Provenance proves an artifact’s origin; it does not prove the origin was uncompromised. Use it alongside — not instead of — pipeline integrity controls and behavioral validation.
How is this connected to the March attacks?
Directly. This is the continuation of the same campaign we covered in our Trivy, LiteLLM, and Telnyx posts. The same credential-cascade model — compromise a trusted tool, harvest secrets, pivot to the next target — escalated from third-party tools in March to GitHub’s own infrastructure and an open-sourced worm by June.
Further reading
- SANS ISC: TeamPCP Supply Chain Campaign — Activity Through 2026-06-07 — Running timeline and federal response
- Nx Blog: Postmortem of the Nx Console v18.95.0 compromise — First-party incident report
- GitHub Advisory GHSA-c9j4-9m59-847w — Official Nx Console advisory and IOCs
- StepSecurity: Miasma / Phantom Gyp analysis — Technical breakdown of the binding.gyp technique
- Cloud Security Alliance: TeamPCP Multi-Ecosystem Supply Chain Worm — Research note on the full campaign
- Security Boulevard: The Miasma campaign and the developer credential economy — On the underground market for stolen credentials
- Revaizor: Trivy Supply Chain Attack Explained — Where the campaign began
- Revaizor: The TeamPCP Telnyx Campaign Timeline — The March campaign in full
- Revaizor: AI Pentesting vs. Vulnerability Scanners — Why validation beats signature matching
This article will be updated as new information becomes available. Last updated June 29, 2026.