TeamPCP Compromises Over 1,000 Open-Source Packages in Four-Month Supply-Chain Rampage
The threat actor TeamPCP has injected malicious code into more than 1,000 open-source packages since February 2026, exploiting CI/CD pipelines and AI-driven deployment to steal cloud credentials.
TeamPCP is on a rampage through open-source software. In less than four months, the threat actor has compromised and injected malicious code into more than 1,000 software packages. The extraordinary spree has transformed how software developers and maintainers distribute and manage their code, as their dependencies and repositories have become one of the most effective and prevalent attack vectors this year.
While there has been a host of technical exploits, TeamPCP’s greatest attack has been the uprooting of trust — repeatedly proving that most organizations fail to verify the code they ingest into their systems is legitimate, abusing a nearly blind faith that much of the software development industry relies on to power today’s modern economy. Starting with Trivy in February, TeamPCP’s attacks have shaken that trust many times over.
The scale of TeamPCP’s attacks lies partly in the automated systems companies use to deploy code, like CI/CD pipelines. It is also capitalizing on new security gaps created by developers’ increasing reliance on AI. Yet, with relatively low effort and unoriginal tactics, TeamPCP is wrecking open-source frameworks and underlying systems at levels the technology community has rarely reckoned with.
“Developers didn’t do a great job of analyzing the security of their open-source dependencies before but, now with AI, there’s in some cases virtually no human in the loop or any kind of sanity check on what these tools are doing,” Feross Aboukhadijeh, founder and CEO at Socket, told CyberScoop. “You have agents installing packages that haven’t been vetted. When an attacker gets in, the impact is even broader because there’s less checks and balances to stop it from affecting everybody.”
TeamPCP hasn’t identified a new problem or proved anything novel. The crux of these attacks hinge on a central theme — defensive vulnerabilities the entire software industry has known about for years. Researchers and developers know the open source trust model is broken and susceptible to sabotage. Yet, the software industry has not fixed this problem.
“The speed and scale of these attacks is what makes it most notable, not necessarily the methodology behind it, because at the core it is really about exploiting third-party trusts that we have,” said Kimberly Goody, senior manager at Google Threat Intelligence Group.
Google attributes the activity to one core operator, tracing residential and mobile IP address connections to South Africa. Palo Alto Networks tracks the core manager under the handle 'ResoluteXBF' and two additional members: 'diencracked' and 'Shinigami.' TeamPCP's claimed victim list includes Checkmarx, Bitwarden, LiteLLM, Telnyx, SAP, GitHub, Microsoft, Red Hat, and many others. The full collection of compromised packages accounts for roughly 500 million weekly downloads combined, according to Nathaniel Quist, manager of cloud threat intelligence at Palo Alto Networks.