TeamPCP Exploits Open-Source Trust Model in Mass Software Compromise

In a shocking display of cunning, TeamPCP has compromised over 1,000 software packages in under four months, injecting malicious code and redefining the notion of trust in open-source supply chains. This brazen attack has left a trail of destruction, with roughly 500 million weekly downloads affected across major…

https://osintsights.com/teampcp-exploits-open-source-trust-model-in-mass-software-compromise?utm_source=mastodon&utm_medium=social

#OpensourceCompromise #SupplyChain #EmergingThreats #Teampcp #SoftwarePackageCompromise

🕵🏻‍♂️ [InfoSec MASHUP] 24/2026 - npm v12 Is the Apology. The Malware Section Is the Receipt.

Last week's question was why the software ecosystem keeps shipping holes and handing the cleanup bill to operational teams. This week #npm answered, at least partially. npm v12 will block automatic code execution during install by default — no more preinstall scripts running silently, no more Git dependencies or URL-based packages pulling in whatever they feel like. Developers will have to explicitly opt in. It's the right call, it's what the supply chain attack surface has been screaming for across months of #CanisterWorm, Shai-Hulud, IronWorm, and Megalodon campaigns, and it arrives roughly four years after the attack pattern became impossible to ignore.

The #malware section this week is, as ever, the context that makes the fix legible. Nineteen PyPI packages trojaned via .pth startup hooks. A WinRAR flaw from last year still fueling active campaigns against Ukrainian organizations. #TeamPCP back with CanisterWorm. The backlog of techniques that predate npm v12 isn't going anywhere — and the install-time execution block doesn't touch the packages already in production, the developers who won't upgrade immediately, or the registries that aren't npm. It's a meaningful fix to a well-understood problem. It's also, by the industry's own timeline, a very belated one.

→ Week #24/2026 also covers: Microsoft patched 200 flaws and three zero-days, Cisco's SD-WAN hit its seventh exploited zero-day of the year, and #ShinyHunters went after Oracle PeopleSoft at 100+ universities

Full issue 👉 https://infosec-mashup.santolaria.net/p/infosec-mashup-24-2026-npm-v12-is-the-apology-the-malware-section-is-the-receipt

If you find it useful, subscribe to get it in your inbox every weekend 📨

#infosecMASHUP #cybersecurity #infosec #threatintel #AI

🚨 NEWS: TeamPCP avvelena il codice open source su GitHub: la più grande ondata di attacchi alla supply chain software

Ecco i punti chiave in breve:
💡 La comunità dello sviluppo software sta vivendo una delle sue crisi di fiducia più profonde degli ultimi anni. Un gruppo di hacker noto come TeamPCP sta conducendo una campagna sis...

🚀 LINK: https://meteoraweb.com/news/teampcp-avvelena-il-codice-open-source-su-github-la-piu-grande-ondata-di-attacchi-alla-supply-chain-software

#github #openSource #teamPCP #sicurezzaSoftware #ataCcoSupplyChain

#TeamPCP war gestern – Auftritt #Megalodon

TeamPCP hatte auf GitHub rund 3.800 Repositories kontaminiert. Jetzt kommt Megalodon und vergiftet auf Anhieb 5.561 Repos (Stand 2026-05-22). Damit erleben wir einen weiteren, noch größeren Lieferketten-Angriff als mit TeamPCP. Etliche Fragen sind noch offen, beispielsweise ob ein Zusammenhang zwischen TeamPCP und Megalodon besteht (abgesehen davon, dass beides raffinierte Lieferketten-Angriffe sind). Spoiler: Megalodon scheint eigenständig und unabhängig von TeamPCP zu sein. Weshalb betreffen diese Angriffe uns alle, es werden doch nur Konten und Repos von Entwickler/inne/n korrumpiert?

Aus zwei Gründen betrifft das uns alle:

https://www.pc-fluesterer.info/wordpress/2026/05/29/teampcp-war-gestern-auftritt-megalodon/

#Allgemein #Empfehlung #Hintergrund #Warnung #Website #foss #github #npm

🕵🏻‍♂️ [InfoSec MASHUP] 21/2026 - The Supply Chain Didn't Break. It Was Walked.

This week's issue reads like a case study in cascade failure. A malicious VS Code extension on one #GitHub employee's device leads to 3,800 internal repositories exfiltrated — by #TeamPCP, the same group that poisoned 170 npm and #PyPI packages last week. #Grafana gets breached via a token nobody rotated after the TanStack attack, itself a TeamPCP operation. A GitHub Action used by thousands of projects gets compromised and starts exfiltrating CI/CD credentials. And somewhere in a public GitHub spreadsheet, CISA contractor credentials — including #AWS GovCloud keys — sat waiting to be found.

These aren't four separate incidents. They're one incident with four manifestations. The supply chain isn't a vector anymore; it's the terrain. Developer tooling, CI/CD pipelines, third-party actions, tokens issued and forgotten — all of it is now actively mapped and exploited with a persistence that makes the traditional "patch and move on" response look quaint. The Verizon DBIR dropped this week noting that third-party compromise is surging. The week's news was already illustrating the point before the report landed.

→ Week #21/2026 also covers: fast16 predated #Stuxnet and corrupted nuclear simulations quietly, #Pwn2Own Berlin paid $1.3M for 47 bugs, and #Bluesky got hijacked for Russian propaganda.

Full issue 👉 https://infosec-mashup.santolaria.net/p/infosec-mashup-21-2026-the-supply-chain-didn-t-break-it-was-walked

If you find it useful, subscribe to get it in your inbox every weekend 📨 #infosecMASHUP #cybersecurity #infosec #threatintel #AI

Megalodon: 5.561 repository GitHub compromessi in sei ore con workflow CI/CD malevoli

https://insicurezzadigitale.com/megalodon-5-561-repository-github-compromessi-in-sei-ore-con-workflow-ci-cd-malevoli/

📰 TeamPCP Threat Actor Breaches TanStack in 'Mini Shai-Hulud' Supply Chain Campaign

💸 Financially motivated group TeamPCP compromises popular TanStack library in 'Mini Shai-Hulud' supply chain campaign. The attack on npm/PyPI ecosystems uses malicious packages to steal developer credentials. #SupplyChain #TeamPCP #TanStack #npm

🌐 cyber[.]netsecops[.]io

🔗 https://cyber.netsecops.io/articles/teampcp-mini-shai-hulud-campaign-breaches-tanstack-in-widespread-supply-chai…