Abstract

TeamPCP is an emerging attack organization that has been extremely active in recent years (active at the end of 2025) and has attracted rapid attention. It focuses on the development ecosystem of GitHub Actions, npm, CI/CD Pipeline and cloud development environment, and carries out systematic and large-scale invasion and poisoning activities, so that every point it breaks through may quickly spread downstream according to distribution and call, thus forming a threat cascade that continues to spread. The stolen information assets focus on various types of credential information such as GitHub, various cloud services and authenticated Token, Service Account, API Key, etc. It is a threat act focusing on Token credential acquisition. In the traditional portrait of attack mode, targeted, long-term and covert attack mode is usually adopted for software supply chain attacks, while TeamPCP organizations do the opposite, constructing a brand-new “sandstorm” attack paradigm, comprehensively covering attacks, and trying to enter more “cracks” through batch poisoning to obtain black profits in batches. It does not care about the hidden life cycle of any breakthrough point, and even carries out high-profile open source, reward and other operations to maximize the expansion of the work surface and build traceability interference items. The scenario condition of this mode of operation is that the exposure of the AI era is expanding rapidly, and the global developer ecosystem’s trusted upstream and downstream division of labor and efficient links combined with collaboration have become the collective “mental defect” of the global IT system “. TeamPCP attack activities have also been more AI-enabled, including based on AI-assisted malware writing, its overall attack strategy, anti-traceability and interference item construction, etc., are also clearly based on the AI of a comprehensive combing guidance. TeamPCP is not just an attack team, it can cooperate with blackmail organizations and other black and gray production groups by transforming its attack capability into a dynamic Token credential resource pool, thus turning itself into a black and gray production upstream “ecology”. When an attack builds an incremental revenue cycle with strong demonstration, it enters an accelerated movement, which is a new paradigm-level threat challenge after RaaS and FaaS.

The recent typical attack activity of TeamPCP organization is that on May 12, 2026, the Mini Shai Hulud open source software supply chain poisoning attack broke out, which spread to several well-known software projects by polluting more than 2100 software packages. The day after the attack broke out, TeamPCP disclosed the complete source code and instructions of the worm in GitHub. Since then, related attacks have continued to ferment. On May 18, the automatic attack code-named “Megalodon Shark (megalodon)” launched 5718 malware implants on 5561 GitHub projects within 6 hours. On May 19, the malware variant continued to pollute 643 software packages. On May 21, it was confirmed that the malicious attack module carried by another worm came from the same group as this attack.

The relevant attacks and samples are translated as “Sandworm”(沙虫) in China, but since “Sandworm” has been used as a common name label for other attack organizations in the industry’s historical threat analysis, including the Anity threat intelligence system, we have used the term “Sandstorm” to avoid confusion and public interference with the attribution issue.

Anity CERT started from the above-mentioned attacks and conducted a targeted analysis based on two long reports.

■ Sandstorm-style Poisoning Targeting Developer Tool Supply Chains (Part 1)

Anity selected five typical samples from thousands of TeamPCP tissue-related samples and conducted a comprehensive analysis with the assistance of Anity AVL Code AI. These five samples cover the organization’s attacks in all aspects of software package poisoning, load delivery, self-diffusion, credential theft, etc. The system restores its complete link from leaking worm source code, public reward incentives to implementing large-scale automated attacks. The full text focuses on the organization’s threat portrait, sample analysis, core attack characteristics, traces of malicious code AI generation, and multi-dimensional geographical and cultural clues to reveal its contradictory characteristics and the design logic of traceability interference.

This report is aimed at government and enterprise operation and maintenance personnel, network security operators, IT product developers, and security regulatory agencies. It focuses on basic core information such as attack organization background, attack characteristics, typical sample analysis, traceability clue research and judgment, covering attack situation and attack technical evidence. It is applicable to security notification, risk self-examination and situation report, and helps relevant units to quickly grasp the overall threat picture and implement basic prevention and control.

■ The Collapse of Sand Dunes in the AI Era: Supply Chain Security Challenges Under the TeamPCP Attack Model (Preview)

For software development, operation and maintenance, and personnel in the field of software and AI. Focus on the combination of supply chain scenarios of technical research and strategic defense thinking, multi-dimensional catalytic threat causes, supply chain attack evolution trends and scenario-based defense solutions. Focus on mechanism digging, cause dismantling and high-level defense system construction, showing the understanding of the entire supply chain attack link in the era of AI.

If readers are concerned about the details not covered in this report, Anity CERT will issue a separate supplementary report.

1.TeamPCP Organizational Structure and Basic Profile

1.1      Naming of the TeamPCP Organization

TeamPCP (also known as DeadCatx3, PCPcat, PersyPCP, ShellForce and UNC6780) have been active since the second half of 2025. They focus on the implementation of high-risk cyber criminal organizations such as software supply chain poisoning, CI/CD assembly line penetration, open source ecological pollution and credential theft. They mainly launch large-scale attacks on the global developer infrastructure. Microsoft, Google and other manufacturers unify their tracking numbers into UNC6780.

TeamPCP is the self-title of the organization. The Telegram channel name of the organization is @team_pcp (founded in November 2025, and its early channel name is @Persy_PCP). Its speeches in the channel include “you may already know us as TeamPCP or Shellforce… CipherForce is a new project” and other contents. It posts in BreachForums forums and signs TeamPCP [Co-Owner], many of its samples also have the “TeamPCP Cloud stealer” string.

Its organization, actions, and tool history are shown in the table below.

Code name	Code Type	Naming Meaning Analysis	Core Usage Scenarios
TeamPCP	Organization owner self-proclaimed/social platform code	PCP implies mass poisoning and large-scale pollution of the software supply chain for the attacker circle; Team works together on behalf of the gang.	External core identity, used for public activities such as GitHub, attacker forum, reward challenge, etc.
PCPcat	Early Attack Code	PCP binding organization identification, cat (cat) is a commonly used hidden nickname for the attacker circle.	December 2025 R eact2Shell large-scale npm supply chain poisoning operation exclusive code
DeadCatx3	Tool/source code	DeadCat (dead cat) fits the dark attack style, x3 represents the third generation tool variant	GitHub account ID used to publish the source code of the Mini ShaiHulud worm and attack tool.‑
PersyPCP	Early Social Platform Code	Persy is taken from Perseverance, implying continuous penetration and stubbornly latent. Suffix binding PCP main logo	Telegram social accounts, release attack notice, reward announcement, threat intelligence
ShellForce	ransomware attack codename	Shell (system backdoor/command line), Force (violent intrusion), highlighting the intrusion and deterrence properties	Use of data leakage and blackmail attack scenarios
UNC6780	Tracing number of two manufacturers	UNC is the exclusive number of non-national background cyber criminal organizations in Microsoft’s threat intelligence system, and the 6780 is to assign ID.	Internal traceability and report labeling of security vendors such as Microsoft and Google

1.2      Characteristics of the organization’s core attack

Based on the captured attack samples, public attack events, and security intelligence analysis, the TeamPCP is different from traditional cyber attack groups and has distinctive new supply chain attack characteristics. The core characteristics are summarized in the following table.

Core Features	Popular Interpretation
Specializing in Software Supply Chain	Don’t carry out phishing attacks on conventional terminals and employees, focus on development core facilities such as GitHub, npm, PyPI, CI/CD pipeline, etc., and break a single point can affect a large number of downstream projects.
To steal high-authority credentials as the core	Focus on stealing permission credentials such as GitHub identity tokens, cloud platform keys, and API keys. The permission level of such credentials is much higher than that of ordinary account passwords.
Deeply leverage CI/CD to automate processes	Hijacking code automatically builds and publishes pipelines to realize automatic implantation and distribution of malicious code, and the attack spread very fast.
Fast forward and fast out attack mode	After obtaining the target permission, quickly steal credentials, spread malware and evacuate, adapt to the short-term characteristics of cloud platform tokens, and avoid traceability.
attack capability open diffusion	Proactively open the complete source code of the worm and launch a reward contest to encourage anonymous attackers around the world to cooperate and expand the scope of the attack.
Attack revenue model diversification	Not only independently launched attacks for profit, but also resold stolen cloud and warehouse permissions to the black market, forming a closed loop of revenue.
Focus on AI-related development ecology	Priority attack AI frameworks, large language model agents, Python class AI dependency packages, AI plug-ins and other emerging development components.

1.3      Key Attack Incidents and Sample Size

Since TeamPCP became active at the end of 2025, it has launched more than 20 large-scale and cross-ecological supply chain attacks. Malicious activities cover mainstream development infrastructure such as npm, PyPI, GitHub Actions, VSCode extension, CI/CD pipeline, etc., polluting more than 500 open source software packages and tool components, with the overall number of malicious samples reaching hundreds to thousands. Among them, the most influential Mini Shai-Hulud worm attack pollutes 323 independent software packages and generates 639 malicious versions in a single round, forming a large-scale proliferation situation in a short period of time and posing a continuous threat to the global open source ecology.

The organization’s landmark attacks showed a clear path of tactical evolution: early on, it focused on targeted poisoning of a single development tool, and gradually upgraded to a high-level mode of open weaponization, reward incentives, and automated batch attacks. Typical events include: successful intrusion into Trivy security tool release process, code poisoning and key theft by tampering with CI/CD pipeline; LiteLLM component pollution for AI development ecology, focusing on stealing cloud platform API keys and container environment credentials; Break through the TanStack project protection system and break through the SLSA Build Level 3 supply chain security trust model for the first time in real attack scenarios; Actively disclose the complete source code and instructions of ShaiHulud worms, lower the threshold of attack and promote the spread of threat capabilities; Jointly with the BreachForums Attacker Forum to launch a reward and sabotage competition to attract global attackers to participate with high incentives; Launch an automated attack with code Megalodon to push malicious submissions to thousands of GitHub warehouses in batches in a short period of time to achieve non-differentiated supply chain pollution. On the whole, TeamPCP attacks have the characteristics of high frequency, scale, openness and automation, and have formed a complete closed-loop and diffusion system of attacks.‑

1.4      AI-aided generation of attack payloads

According to the thousands of Shai-Hulud series worm samples released TeamPCP, the security intelligence verification shows that the malicious script has AI auxiliary generation traces, but the core attack logic is designed and implemented manually.

From the sample details, the early Bash script of the worm contains a large number of AI generation features, such as redundant comments, emoticons, formatted text, etc. Security vendors determine with medium confidence that this part of the content is generated with the assistance of the large language model (LLM). However, the core functional modules such as attack chain design, credential theft logic, CI/CD vulnerability exploitation, worm propagation strategy, etc. are all manually customized and developed by attackers.

After the worm source code was made public, global attackers derived a large number of variant samples based on the secondary modification of the original code. Such derived samples do not belong to the scope of TeamPCP native development.

2.Core Attack Incidents and Tactical Evolution of TeamPCP

2.1      The Rise and Evolution of TeamPCP

To understand the geopolitical implications of TeamPCP action, we must first grasp the path of its technological evolution. The group’s attacks are not isolated incidents, but a chain of incremental escalation that extends from September 2025 to May 2026. This chapter analyzes the rise of TeamPCP, key turning points, and the two waves of Mini Shai-Hulud and Megalodon coordinated attacks under a unified framework.

TeamPCP has been active since the second half of 2025, with early activity dominated by supply chain attacks targeting the CI/CD pipeline and the npm ecosystem, but the real global concern is the React2Shell large-scale action in December 2025.

Time	Incident	Impact scale
2025-09-08	Chalk/Debug Cryptojacking Attacks	18+ packs, 2 billion+ weeks downloads
2025-09-14	Shai-Hulud worm first appeared	517+ package
2025-11-24	“Second Coming” Fake Bun Runtime	1,100+ packs
2026-03-19	Trivy Scanner Supply Chain Break	Almost all versions are contaminated
2026-05-11	Mini Shai-Hulud / TanStack	408+ package, first cross-PyPI
2026-05-12	Shai-Hulud Open Source (MIT License)	Capacity diffusion milestone
2026-05-12	BreachForums reward $1,000	Encourage third-party use
2026-05-18	Megalodon action	5,561 Warehouse Backdoor
2026-05-19	Mini Shai-Hulud / AntV (atool)	643 version, 323 package
2026-05-19	durabletask PyPI Worm	Rope/Koschei load
2026-05-20	Web3/DeFi MCP Fishing	10 packs
2026-05-21	Polymarket wallet theft	9 packages

The key turning point will occur on May 12, 2026. TeamPCP made the complete source code of the Shai-Hulud worm publicly available under the MIT license on GitHub and launched a $1,000 “destruction contest” in BreachForums “. This behavior has implications on multiple levels:

Low cost of attack threshold: open source code and use documents reduce the technical threshold;

Traceable interference: A large number of attackers enter the site, making it difficult to distinguish between the original attacker and the imitator.

2.2      Mini Shai-Hulud: The “Breakpoint” of the Supply Chain

On May 11, 2026, the TeamPCP organization uploaded 84 malicious code packages to the npm package warehouse within 6 minutes, targeting 42 toolkits owned by the well-known open source project TanStack. The attacker hijacked the TanStack’s official CI/CD pipeline, stole the GitHub platform OIDC identity token, and generated a software supply chain security certificate conforming to SLSA Build Level 3 standard, enabling the malicious package to obtain a trusted endorsement that is completely consistent with the official release. This is the first time in a public report that a supply chain poisoning incident has broken through the SLSA Build Level 3 trusted certification system in a real attack scenario.

The core technical points of this attack are as follows:

• SLSA Build Level 3 Security Mechanism

SLSA (Supply-chain Levels for Software Artifacts) is a common framework in the field of software supply chain security, and Build Level 3 is the current mainstream high-level trusted certification standard. This level requires that the software package be automatically generated by the official build tool and verified by the platform to ensure that the code package is released through a regular channel and has not been tampered.

• Attack Breakthrough Logic

This attack did not forge or tamper with the certification documents, but directly controlled the official CI/CD pipeline and the corresponding OIDC token that generated the certification, and used the hijacked legal identity to generate the compliance SLSA certification, so that the malicious package could not be identified by the traditional mechanism in the downstream verification process, realizing “legal poisoning”.

• High-risk vulnerability chain exploitation (CVE-2026-45321,CVSS 9.6)

The attack forms a high-risk vulnerability chain by combining three GitHub platform vulnerabilities. The key steps include:

pull_request_target trigger abuse: use the permission feature of the trigger to enable externally submitted code to obtain warehouse modification permission;

CI/CD cache poisoning: Injects malicious code into the pipeline build cache so that it is loaded and executed in subsequent build processes.

Stealing OIDC tokens: Stealing official identity passes directly from running processes.

2.3      Megalodon: A “Dust Storm” of Five Thousand Submissions in Six Hours

Mini Shai-Hulud attack is similar to precision guidance mode, so the Megalodon operation on May 18 is carpet bombing mode. In the six hours between 11:36 and 17:48 UTC, TeamPCP pushed 5,718 malicious commits to 5,561 different GitHub repositories. Attackers use random 8-character GitHub one-time accounts to forge automated identities such as build-bot and ci-bot, and submit information disguised as regular CI maintenance.

Megalodon payload are injected directly into GitHub Actions workflow files containing base64-encoded bash scripts specifically designed to steal CI keys, cloud credentials, SSH keys, OIDC tokens, and source code keys. Two variants are particularly dangerous: SysDiag fires on every push, and Optimize-Build uses workflow_dispatch to stay dormant. What is more noteworthy is that TeamPCP infected GitHub employee equipment through the poisoned Nx Console VS Code extension, resulting in the exfiltrate of about 3,800 GitHub internal warehouses, which were subsequently sold for $50,000.

Characteristics	SysDiag	Optimize-Build
Trigger condition	push (all branches) pull_request_target	workflow_dispatch (trigger on demand)
Effect	Automatic per push/PR	Attackers can trigger on demand via GitHub API
Goal	Large-scale, wide-spread net	Directed Persistence Backdoor
permission request	id-token: write, actions: read	As above

2.4      The Coordination Logic of Two Waves of Attacks

Mini Shai-Hulud and Megalodon are not two independent actions, but a coordinated attack on two different levels of the AI developer supply chain. The first wave attacks the package registry (npm/PyPI) and implants malware during the dependency installation phase. The second wave attacks the CI/CD infrastructure (GitHub Actions) and steals keys during the build execution phase. Together, they cover the complete software delivery lifecycle from dependency installation to workflow execution, and both have persistent hooks installed in AI coding tools, including Claude Code and VS Code.

CSA research points out that this layered attack mode shows that attackers have a deep understanding of the AI developer ecology-AI frameworks, model integration libraries and development tools occupy a unique and privileged position in modern software production, with access to source code and keys during the development phase and direct deployment of their output to AI-enabled production systems. By gaining a foothold at this layer, the attacker gains both instant credential access and persistent foothold to the next generation of deployments.

3.Attack Techniques and Attack Analysis Corresponding to the Sample

The five samples for this analysis are representative of the thousands of samples captured by Anity from the TeamPCP series of attacks, covering typical payload types at different stages in the attack chain. The analysis part is based on the analysis results of Anity AVLCode.

Table 3-1 Sample Selection Description and Overview

MD5	Type	File size	Attack Chain Role	Corresponding Attack Wave
and…	PythonZIP	28KB	Credential Aggregation Trojan (stage-2)	durabletaskPyPI Worm
C5324C4ADA09288ECEBC42CFC9DB8A3F…	npm package	22MB	Supply Chain Infection Load	MiniShai-HuludAntV wave
C56E59EE44BF0D606353BDCED380166B…	JS/TS	5.4MB	Self-replicating worm	MiniShai-HuludTanStack wave
C1D01AC7A9FBEBDF96C8F3023E6EC877…	–	25KB	Cloudware Variants	TeamPCP common tool set
ED9E80087326C349FBB90F2E90C5A691…	–	25KB	Cloudware variant	TeamPCP Universal Toolkit

3.1   Rope/Koschei—Credential-Stealing Trojan

Table 3-2 Counterfeit PyPI Package Sample Information Label

Virus name	Trojan/Python.ShaiHuludSupplyChain
Original file name	managed.pyz
MD5	04750ABA368EEB2890E74D10FA0A50A3
File size	28.03KB (28,703 bytes)
File format	ZIP
CVERC Collaborative Analysis Results	6 / 14

Note: The malicious sample detection results in this report are derived from the National Computer Virus Collaborative Analysis Platform operated by the National Computer Virus Emergency Response Center (CVERC), which is an authoritative national malicious sample detection infrastructure in China, and the test results have official verification effect.

The sample is a packaged Python program in PYZ format. Its main function is to steal various configuration and credential information and send it back to the C2 server. Based on the Anity AVLCode AI analysis, the overall structure of the sample is as follows:

Figure 3-1 Modular Architecture of the Falsified PyPI Package Sample

(Generated by Antiy AVL Code AI Agent based on the Virus Inspection Large Language Model (VILLM))

File type: PythonZIP compression package

Test Name: Rope/Koschei (from SafeDep disclosure)

Technical Details:

• Encrypted communication: The payload is encrypted with AES-256-GCM RSA-OAEP key encapsulation. This combination ensures the confidentiality and integrity of C2 communications.
• C2 protocol: GitHubAPI is used as C2 channel (GitHubAPIC2) to issue instructions and leak data through Issue, Release or Commit of public warehouse, so that traffic is mixed into normal GitHubAPI traffic and is difficult to be identified by network detection equipment.
• Voucher collection scope:
  • AWS credentials (access keys, secret keys, session tokens for all profiles)
  • GCP access token (via gcloudauthprint-access-token)
  • AzureIMDS endpoint metadata
  • SSH private key, Docker authentication,. npmrc,. netrc
  • Kubernetes Configuration, Vault Token, Terraform Credentials
  • Shell History
  • 30 secret regular patterns in source code (API key, database connection string, JWT, PEM private key)
• Move horizontally: Spread to up to 5 EC2 instances via AWSSSMSendCommand and up to 5 pods via Kuberneteskubectlexec.
• Persistence mechanism: Install pgsql-monitor.service(Linuxsystemd) and pgmonitor.py as the persistence daemon.

Rope/Koschei is the stage-2 payload of the durabletaskPyPI worm, delivered to the victim system as a PythonZIP packet (28KB). The payload uses AES-256-GCM encrypted communication, RSA-OAEP key encapsulation, and GitHubAPI as a C2 channel-through the public warehouse Issue, Release or Commit for instruction issuance and data leakage, so that the traffic is mixed into the normal GitHubAPI traffic.

The collection of credentials is extensive: AWS credentials (access keys, secret keys, session tokens for all profiles), GCP access tokens, AzureIMDS endpoint metadata, SSH private keys, Docker authentication,. npmrc,. netrc, Kubernetes configuration, Vault tokens, Terraform credentials, and 30 secret regex patterns in source code. The ability to move laterally includes spreading to up to 5 EC2 instances via AWSSSMSendCommand and spreading to up to 5 pods via Kuberneteskubectlexec.

3.2   @antv/li-sam-assets–npm Supply Chain Infection

Table 3-3 Counterfeit npm package sample information label

Virus name	Worm/Script.Shulud
Original file name	li-sam-assets-0.3.4.tgz
MD5	C5324C4ADA09288ECEBC42CFC9DB8A3F
File size	21.01MB (22,031,009 bytes)
File format	GZIP
CVERC Collaborative Analysis Results	4/ 14

The sample is a fake npm package in which the preinstall field in package.json is set to execute the malicious obfuscated script index.js, which is triggered when the user installs the npm package. The main function is to steal all kinds of configuration, credential information and return to the C2 server. Based on Antiy AVLCode AI analysis, the sample’s overall execution flow is as follows:

Figure 3-2 The complete attack chain of the forged npm packet attack2

(Generated by Antiy AVL Code AI Agent based on the VILLM)

File type: npm package (tgz format)Attack Vector: preinstall Hook
Technical Details:

• Infection mechanism: Automatically executed at npminstall time through preinstall scripts without user interaction. This is one of the most high-risk attack vectors in the npm ecosystem.
• Obfuscation technique: Use a custom stream cipher (CustomStreamCipher) to obfuscate the payload. The obfuscation algorithms revealed by reverse engineering include:
  • PBKDF2-HMAC-SHA256 key derivation (200,000 iterations)
  • Custom stream cipher based on Fisher-Yates shuffling
  • Output format: Mixed IV(16 bytes) ciphertext
  • Decryption requires extracting the mixed IV from the output and then recovering the original IV through SHA256 key derivation
• Credential theft targets: 20 credential types, including GitHub/CI tokens, AWS keys, GCP/Azure/Kubernetes service accounts, Vault tokens, SSH keys, Docker credentials, database connection strings
• Container escape: Attempt container escape via Docker host socket
• C2 Address: t.m-kosche.com:443/api/public/otel/v1/traces (masquerading as OpenTelemetry telemetry endpoint)
• Beacon String: niagAoGeWereH:duluH-iahS (characters reversed “Shai-Hulud:HereWeGoAgain”)

The sample is an npm package (tgz format, 22MB), which is automatically executed at npminstall time through a preinstall hook. The obfuscation technique uses a custom stream cipher: a PBKDF2-HMAC-SHA256 key derivation (200,000 iterations), a Fisher-Yates shuffle-based custom stream cipher, and the output format is mixed IV(16 bytes) ciphertext. The C2 address is disguised as a OpenTelemetry telemetry endpoint (t.m-kosche.com:443/api/public/otel/v1/tracks), and the beacon string is “Shai-Hulud:HereWeGoAgain” with reversed characters “.

3.3   MiniShai-Hulud: Self-replicating Worm

Table 3-4 Worm sample information labels

Virus Name	Worm/Script.Shulud
Original File Name	ShaiHulud.zip
MD5	C56E59EE44BF0D606353BDCED380166B
File size	5.18MB (5,430,672 bytes)
File format	ZIP
CVERC Synergy Analysis Results	7/ 14

The sample is a Node.JS worm script that has the function of collecting credentials and automatically infecting npm packages. Based on the Anity AVLCode intelligence analysis, the sample’s confusion techniques and overall process are as follows:

Figure 3-3 Worm Sample Obfuscation Technology Line

(Generated by Antiy AVL Code AI Agent based on the VILLM)

Figure 3-4 Worm sample analysis execution process

(Generated by Antiy AVL Code AI Agent based on the VILLM)

File Type: JavaScript/TypeScriptAttack Vector: TanStack Release Pipeline Break
Technical details:

• mode of transmission: self-replication-infected package will try to modify other npm packages and republish after installation
• Installing hooks: Using a prepare script (bunruntanstack_runner.js)
• Voucher Range: same as the above 20 voucher types
• Alternate leak channel: GitHub repository creation (use the format {dune-word}-{dune-word}-{0-999})
• Persistence:
  • SessionStart hook for. claude/settings.json
  • folderOpen tasks for. vscode/tasks.json
  • Necromancer switch daemon: gh-token-monitor/kitty-monitor
• Necromancer switch mechanism: If the monitored GitHub token is revoked, the daemon will erase the victim host. This is a high-risk mechanism at the blackmail level.

The sample is propagated through a TanStack release pipeline breach, triggering execution using a prepare script (bunruntanstack_runner.js). Core features include: self-replication mechanism-infected packages will try to modify other npm packages and republish them after installation; Alternate leakage channel-create GitHub warehouse in the format of {dune-word}-{dune-word}-{0-999}; And the necromancer switch daemon (gh-token-monitor/kitty-monitor)-if the monitored GitHub token is revoked, the daemon will erase the victim host.

3.4   Two Trojan variants of Cloudware

Table 3-5 Information Label of Cloudware Variant Sample 1

Virus name	Trojan/Python.ShaiHulud
Original file name	transformers.pyz
MD5	C1D01AC7A9FBEBDF96C8F3023E6EC877
File size	24.58KB (25,166 bytes)
File format	ZIP
CVERC Collaborative Analysis Results	7/ 14

Table 3- 6 Information Label of Cloudware Variant Sample 2

Virus name	Trojan/Python.ShaiHuludSupplyChain
Original file name	transformers.pyz
MD5	ED9E80087326C349FBB90F2E90C5A691
File size	24.57KB (25,164 bytes)
File format	ZIP
CVERC Collaborative Analysis Results	8/ 14

The sample is a multi-stage cloud credential stealer disguised as a transformers repository, with the goal of stealing keys and sensitive information in the environment. Based on the Anity AVLCode AI analysis, the overall flow of the sample is as follows:

Figure 3-5 The overall architecture of the Cloudware variant sample

(Generated by Antiy AVL Code AI Agent based on the VILLM)

These two samples are Cloudware variants of the Shai-Hulud, relatively low-frequency variants among tens of thousands of captured samples, but their existence itself confirms that the attacker has an active weapon development and version control process. They share the core toolset with other variants, indicating that TeamPCP is continuously iterating its malware toolset.

4.”Sandstorm” Poisoned Corresponding Threat Framework Tactics Annotation Map

For the complete process of the Sandstorm poisoning attack, Anity combed the ATT&CK mapping map corresponding to this attack as shown in the following figure. It mainly covers 14 stages such as reconnaissance, resource development, initial access, execution, persistence, power raising, defense evasion, credential access, discovery, lateral movement, collection, command and control, data seepage, influence, etc., which embodies the key techniques and tactics of the attack organization in software supply chain poisoning, CI/CD assembly line hijacking, multi-type credential theft, container and cloud environment lateral movement, etc, it completely restores the attack link of the TeamPCP from the early resource preparation to the later credential return and system impact.

Figure 4-1 ATT&CK Tactical Label of “Sandstorm” Poisoned Attack

The “Sandstorm” poisoning attack corresponds to the specific ATT&CK technical behavior description table in the above figure, which details the specific behavior and annotation description under each ATT&CK stage and technology.

Table 4-1 Description of ATT&CK Technical Behavior of “Sandstorm” Poisoned Attack

ATT&CK Phase/Category	Specific behavior	Comment
Reconnaissance	Collect public websites/domains	Collect public software packages
Resource development	Access to infrastructure	Registered Domain Names and Servers
Resource development	Intrusion account	Hacking GitHub/npm accounts
Resource development	Intrusion infrastructure	Break the CI/CD pipeline
Resource development	Capacity development	Developing malicious code
Resource development	Create an account	Create fake accounts like DeadCatx3
Resource development	Environmental Readiness	Configure C2 infrastructure
Initial visit	Invasion of supply chain	npm/PyPI/Github Supply Chain Poison
Initial Access	Utilize an effective account	Using stolen tokens and keys
Execute	Execute commands with cloud management services	Move laterally with AWS SSM
Execute	Leverage the Command and Script Interpreter	Pre-execution hook to execute malicious script
Execute	Use Container Management Service to execute commands	Diffuse to Pod through kubectl exec
Execute	Utilize scheduled tasks/work	Triggered via GitHub Actions
Execute	Using third-party software deployment tools	Hijack the CI/CD pipeline
Persistence	Boot or login with automatic start	Install systemd Services
Persistence	Tampering with client software	Infecting. claude and. vscode configurations
Persistence	event-triggered execution	Use hook to trigger execution
Exposition of authority	Manipulating access tokens	Extract OIDC token from/proc/mem
Privilege escalation	Exploit vulnerability to raise rights	Exploitation of GitHub Platform CI/CD Vulnerabilities
Defensive Evasion	Counterfeit	Forged Submitted Author
Defense evasion	Obfuscating files or information	Code obfuscation
Defense evasion	Execute with trusted development tools	Leverage official toolchains such as npm/pip
Defense evasion	Using a valid account	Using stolen tokens and keys
Credential Access	Get credentials from where passwords are stored	Stealing credentials from software configuration
Credential access	Exploit Credential Access Vulnerability	Exploit GitHub Token Extraction Vulnerability
Credential access	Forged Web Credentials	Generate SLSA Build Level 3 Proof
Credential access	Stealing application access tokens	Stealing tokens and keys
Discovery	Discovery Account	Enumerate GitHub repository members
Discovery	Discover Cloud Services	Enumerate cloud services and API endpoints
Discovery	Discover containers and resources	Enumeration Kubernetes
Discovery	Discover files and directories	Scan the file system for credential files
Discovery	Discover Software	Instrumentable development tools and cloud CLI
Discovery	Discover system information	Collect basic system information
Discovery	Discovery system geographic location	Detection system language and other geographic information
Move laterally	Leverage remote services	Leverage remote management services
Lateral movement	Leverage third-party software deployment tools	Using kubectl exec
Collect	Compress/encrypt collected data	Compress/encrypt the collected data
Collect	Automatic collection	Automatically collect multiple credentials
Collect	Collecting Local System Data	Collect local system data
command and control	Use application layer protocols	Use the HTTPS protocol
Command and Control	Content Injection	Use Github comments, etc.
Command and Control	Encoded Data	base64 encoding payload
Command and Control	Leverage legitimate web services	Control with GitHub
Data bleed	Automatic exudation data	Automatic data extraction
Data leakage	Use C2 channel for backhaul	Use C2 channel for backhaul
Data leakage	Using Web Service Backpass	Use GitHub to send back
Impact	corrupt data	Switch triggers data deletion
Impact	Manipulating Data	Inject malicious code
Impact	Financial theft	Purse theft

5.Sample Association and Capability Diffusion Verification

5.1 Directly Relevant Evidence

Through the CHANGELOGv3.4.2 disclosed by the SafeDep, the following key associations are confirmed: the stage-2 payload rope.pyz of the durabletaskPyPI worm (v1.4.1-1.4.3) is the sample rope; The secondary C2 t.m-kosche.com is used in durabletask worms and MiniShai-HuludAntV waves at the same time. Slavic folklore beacon FIRESCALE, BABA-YAGA-KOSCHEI, etc. appear in the submission message and leakage warehouse of durabletask worms.

5.2 Sample Association Matrix

Sample A	Sample B	Affiliation
04750ABA368EEB2890E74D10FA0A50A3 Rope	EF0EB6DCF4A8E97814A3E975B72B0D12 durabletaskPyPI	stage-2payload relations
EF0EB6DCF4A8E97814A3E975B72B0D12 durabletaskPyPI	C5324C4ADA09288ECEBC42CFC9DB8A3F AntV	Share C2:t.m-kosche.com
C5324C4ADA09288ECEBC42CFC9DB8A3F AntV	C56E59EE44BF0D606353BDCED380166B Mini	Shared C2: t.m-kosche.com
C56E59EE44BF0D606353BDCED380166B Mini	C1D01AC7A9FBEBDF96C8F3023E6EC877 Cloudv1	Toolset Overlap
C1D01AC7A9FBEBDF96C8F3023E6EC877 Cloudv1	ED9E80087326C349FBB90F2E90C5A691 Cloudv2	Cloudware variant relationship

5.3 Capability Diffusion Verification

The timeline from open source to actual weaponization verifies the effectiveness of capability diffusion. On May 12, the day the source code was made public, the BreachForums reward competition was launched simultaneously. Six days later (May 18) Megalodon action broke out. Seven days later (May 19) AntV/atool waves and durabletaskPyPI worms appeared at the same time. Web3/DeFiMCP fishing 8 days later; Nine days later, Polymarket wallet theft. Five waves of attacks broke out in six days, indicating that a third party quickly integrated the source code into its own attack tool chain after it was made public. Of the thousands of relevant samples captured by Anity, most of them are the products of this wave’s ability to spread.

Date	Incident	Open source
2026-05-12	Shai-Hulud source code is publicly available (MIT License)	T+ 0
2026-05-12	BreachForums is offering a $1,000 reward.	T+ 0
2026-05-18	Megalodon operations (5,561 warehouses)	T+ 6 days
2026-05-19	AntV/atool wave (643 version)	T+ 7 days
2026-05-19	durabletask PyPI worm	T+ 7 days
2026-05-20	Web3/DeFiMCP Fishing	T+ 8 days
2026-05-21	Polymarket wallet theft	T+ 9 days

6.TeamPCP: Multidimensional Clue–Driven Attribution Analysis and Threat Localization

TeamPCP is a typical composite high-risk threat organization that emerged from 2025 to 2026. It combines the refined operation capability of the advanced threat team with the large-scale profit-making characteristics of black and gray production. The organization’s attack link is complete, anti-traceability capability is mature, cross-gang linkage is frequent, resulting in scattered public traceability clues, interference characteristics, the industry has not yet formed a unified attribution conclusion. Based on the monitoring data of several security vendors, the current effective traceability clues are mainly divided into three categories: social behavior traces, C2 infrastructure life cycle, and cross-gang collaboration mode. Compared with the random characteristics of ordinary black ash production, the overall behavior of the TeamPCP is highly regular and can be continuously captured by intelligence, accompanied by a large number of human interference traces. This section studies the technical value, credibility level and traceability limitations of each clue from the perspective of the manufacturer’s actual combat.

6.1      Regional Behavioral Traces: Correlation Features and Interference Analysis in Kenya

Flare.io social intelligence monitoring shows that the TeamPCP mainly relies on the Telegram community to carry out operations, campaigns and data transactions. The organization’s core account frequently mentions political, social, and government-enterprise-related topics in Africa and Kenya in long-term community exchanges, attack announcements, and data sales announcements, forming significant regional discourse characteristics. Combined with the timing of its core GitHub asset DeadCatx3 activities, the account has been continuously updating penetration tools and exploit scripts since the end of 2025, which is highly consistent with the TeamPCP attack initiation cycle, forming a correlation clue of “social geographic characteristics core asset timing.

In the traceability system, social regional traces belong to weak correlation clues and do not have the effect of attribution. Mature high-risk groups generally have the ability of regional camouflage, which can forge territorial characteristics through speech simulation, agent nodes and targeted topic operation to interfere with traceability judgment. Combined with the overall level of confrontation in TeamPCP, there is a high probability of artificial forgery of the current Kenyan association traces, which can only be used as a behavioral reference and cannot be used as a basis for organizational attribution.

6.2      Infrastructure Characteristics: Specialized Operational Features Characterized by Pre‑deployment Dormancy and Delayed Activation.

Hunt.io infrastructure traceability captures the TeamPCP’s most identifiable advanced threat characteristics, which is also the core basis for manufacturers to distinguish between ordinary black and gray products and professional threat teams. Ordinary profit-making groups mostly adopt the opportunistic model of instant registration, instant use and disposal, with short infrastructure life cycle, random deployment and no pre-planning. And TeamPCP presents a standardized, highly controllable infrastructure operation paradigm.

Monitoring data show that the TeamPCP core C2 subnet 83.142.209.0/24 will complete full link deployment in November 2025, including a full set of pre-work such as domain name configuration, port debugging, malicious program mounting, terminal permission control, etc. After the asset deployment is completed, it will enter a four-month silent hibernation period, with no attack traffic, no manipulation behavior and no data transmission until it is officially activated and put into batch attack in March 2026.

This preset dormant and delayed activation operation mode is direct evidence of team specialization, combat systematization, and attack prepositioning. It is completely different from random attacks by individual attackers and temporary gangs. The characteristics show that the TeamPCP has the ability of stable team division, long-term combat planning and mature infrastructure operation and maintenance, and belongs to the typical organized and sustainable high-risk threat subject.

6.3      Ecological Collaboration Characteristics: A Hybrid Threat Architecture That Integrates Resources Across Criminal Groups

TeamPCP uses a rare hybrid threat architecture, with advanced autonomous penetration capabilities and mature black and gray production ecological integration capabilities. The organization can independently complete the full-link attack processes such as vulnerability exploitation, directional penetration, intranet horizontal, data theft and encryption and blackmail, and at the same time deeply access the global underground crime industry chain to build a stable cross-group collaboration network.

At present, the head threat subjects that have verified their long-term cooperation include: Vect ransomware team, Lapsus $data leakage organization, BreachForums underground transaction forum, ShinyHunters data theft group. The parties achieve in-depth collaboration through technology sharing, resource exchange, revenue sharing and exchange of trading channels, effectively complementing the shortcomings of capabilities and significantly improving the scale of attacks and profit-making efficiency. Its large-scale ecological linkage has dual functions: at the business level, relying on mature underground industrial chains to reduce attack costs and quickly realize large-scale blackmail and data realization; At the confrontation level, the cross-binding of multi-gang, multi-channel and multi-characteristics effectively confuses one’s own behavioral fingerprints and raises the difficulty of traceability clustering and subject locking for security manufacturers, which is a typical advanced confrontation operation strategy. This broad integration of criminal networks both maximizes economic gains and constructs noise for the purpose of traceable attribution.

6.4      Comprehensive assessment

Based on the three clues of regional traces, infrastructure operation and ecological linkage, and combined with the actual combat research and judgment experience of manufacturers, the portrait of TeamPCP organization can be clearly defined: it is not an individual attacker or a temporary small group, but a professional compound threat team with high-level technical ability, mature confrontation thinking, complete ecological link and long-term operation planning. The risk of forgery of geographical association clues is high and the attribution effect is weak. Infrastructure preset dormancy and cross-gang ecological integration are highly credible and strong features, which can truly reflect its team level and combat capability. TeamPCP takes commercial profit as its core demand, pays great attention to covert confrontation, and continuously avoids traceability and interception through multiple camouflage and resource integration. It is a persistent high-risk threat organization that needs long-term key monitoring at this stage.

7.Summary

TeamPCP is an emerging high-risk attack organization that has been officially active since the end of 2025 and quickly poses a huge threat to the global software supply chain in the short term. The gang targeted the GitHub Actions, npm, CI/CD pipeline, cloud development environment and other mainstream developer ecosystems, and continued to carry out systematic and large-scale network intrusion and software poisoning operations. Because its attack link is deeply embedded in the whole process of software development, package distribution, code calling, etc., every node that is broken through by it will continue to spread downstream with the normal business flow such as software distribution and program calling, eventually forming a chain conduction, continuous diffusion of the global threat effect. The organization’s core crime objectives are very clear. It takes the developer tool supply chain as the main entrance and steals all kinds of high-value identity credentials. It focuses on plundering core authentication information such as GitHub platform account, cloud service authority, identity token Token, SA account number, API key, etc. It controls horizontal movement portals for cloud native and container environments in batches. It is a professional threat actors focusing on illegally obtaining “credential assets” as the core objective.

Back to traditional software supply chain attacks, mainstream threat organizations generally adopt the operational thinking of targeted strikes, long-term latency, and covert penetration, striving to reduce exposure and prolong the survival time of attacks. And TeamPCP completely subverts this inherent model, innovation to create a unique “sandstorm” attack paradigm. The organization no longer pursues the concealment of single-point breakthrough, but instead launches a full-scale coverage attack, and attempts to enter various safety cracks in the ecosystem through mass poisoning, so as to seize the profits of black production on a large scale. In terms of tactical choice, the gang completely ignored the hidden life cycle of the attack node and acted in a very high-profile style. It not only actively disclosed the source code of malicious programs, but also expanded the attack team and broadened the crime boundary by issuing reward tasks and other means. At the same time, it deliberately created a large amount of interference information, greatly increasing the tracking difficulty of security manufacturers and traceability teams.

The attack mode can be landed and quickly fermented, which is closely related to the changes of the overall network environment in the AI era. At present, the exposure of global network attacks continues to expand. The global developer ecology has long relied on the trust mechanism to form an upstream and downstream division of labor and cooperation mode. The business linkage between various subjects is efficient and frequent. This inherent operation characteristic of the industry has also become a security short board that the entire IT system is difficult to avoid. At the same time, generative artificial intelligence has become an important help for TeamPCP to improve attack efficiency. The organization uses AI capabilities to assist in malicious code writing, function iteration and other work. From top-level attack strategy planning, anti-traceability technology landing, to various traceability interference content structures, all links rely on AI to complete sorting, design and optimization, making the attack system more mature and efficient.

TeamPCP has long gone beyond the scope of a single attack team. It has transformed its intrusion capability into a pool of dynamic credential resources that can be circulated, reused, traded and rented. It has actively carried out cross-border cooperation with blackmail gangs and various black and gray production forces, and has gradually grown into an upstream threat ecology in the black and gray industry. When the attack model forms a closed loop of revenue with strong demonstration effect and cyclical growth, its attack activity enters a high-speed expansion phase. Following the RaaS and FaaS attack modes, the sandstorm supply chain poisoning launched by TeamPCP has become another new threat with paradigm-level impact in the field of network security, and has also brought unprecedented challenges to the security protection of global software supply chain.

[Note]: The analysis work in this report is based on the Anity AVL Code AI Agent, which is connected to the results generated by the VILLM and is referenced in the form of screenshots. The text content generated by the VILLM in the report has been manually reviewed and proofread, which is hereby explained.

Appendix A: List of IoCs in the Sample Report

Type	Value
Hash	ED9E80087326C349FBB90F2E90C5A691
Hash	C1D01AC7A9FBEBDF96C8F3023E6EC877
Hash	C56E59EE44BF0D606353BDCED380166B
Hash	C5324C4ADA09288ECEBC42CFC9DB8A3F
Hash	04750ABA368EEB2890E74D10FA0A50A3
C2 Domain Names	t.m-kosche.com
C2 domain name	check.git-service.com
IP	83.142.209.194

Note: The number of samples of npm, PyPI and other open source software packages affected by this supply chain poisoning is large, and this article is not enumerated one by one due to space limitations. For a complete list of affected packages and detailed sample data, please contact Anity CERT(cert@antiy.cn).

Appendix B: References

[1] Cloud Security Alliance – Shai-Hulud/Megalodon: A Two-Wave AI Developer Supply Chain Attack (2026-05-23).

Shai-Hulud/Megalodon: A Two-Wave AI Developer Supply Chain Attack

[2] SafeDep – Megalodon: Mass GitHub Repo Backdooring via CI Workflows (2026-05-18). https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows

[3] SafeDep – Mini Shai-Hulud Strikes Again (2026-05-19).

https://safedep.io/mini-shai-hulud-strikes-again

[4] SafeDep – Malicious durabletask PyPI Supply Chain Attack (2026-05-20).

https://safedep.io/malicious-durabletask-pypi-supply-chain-attack

[5] Palo Alto Networks Unit 42 – The npm Threat Landscape (Updated 2026-05-21). https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/

[6] OX Security – The @antv Ecosystem Was Compromised (2026-05-20).

https://www.ox.security/blog/the-antv-ecosystem-was-compromised-with-shai-hulud-malware-300-packages-affected/

[7] Microsoft Security Blog – Mini Shai Hulud: Compromised @antv npm packages (2026-05-21). https://www.microsoft.com/en-us/security/blog/2026/05/20/mini-shai-hulud-compromised-antv-npm-packages-enable-ci-cd-credential-theft/

[8] Vectra.ai – Shai-Hulud Part 2: When the Worm Forged Its Own Security Certificate (2026-05-13). https://www.vectra.ai/blog/shai-hulud-part-2-when-the-worm-forged-its-own-security-certificate

[9] Tenable – Mini Shai-Hulud Supply Chain Attack CVE-2026-45321 FAQ (2026-05-22). https://www.tenable.com/blog/mini-shai-hulud-frequently-asked-questions

[10] Hackread – 5,561 GitHub Repositories Hit by Megalodon Supply Chain Attack (2026-05-23). https://hackread.com/github-repositories-megalodon-supply-chain-attack/

[11] Infosecurity Magazine – GitHub Confirms Breach of Internal Repositories (2026-05-21). https://www.infosecurity-magazine.com/news/github-confirms-breach-vs-code/

[12] Socket.dev – TeamPCP and BreachForums Launch $1,000 Contest (2026-05-14). https://socket.dev/blog/teampcp-supply-chain-attack-contest

[13] Help Net Security – TeamPCP breached GitHub’s internal codebase (2026-05-21). https://www.helpnetsecurity.com/2026/05/20/github-breached-teampcp/

[14] ThreatAft – TeamPCP Open-Sources Shai-Hulud Worm on GitHub (2026-05-13). https://threataft.com/articles/teampcp-shai-hulud-open-source-github-supply-chain-attack

[15] The Register – Malware crew TeamPCP open-sources its Shai-Hulud worm (2026-05-13). https://www.theregister.com/security/2026/05/13/malware-crew-teampcp-open-sources-its-shai-hulud-worm-on-github/5239319

[16] StepSecurity – Shai-Hulud Here We Go Again (2026-05-19).

https://blog.stepsecurity.io/shai-hulud-here-we-go-again/

[17] Endor Labs – Trojanized Microsoft SDK: durabletask 1.4.1-1.4.3 (2026-05-20). https://www.endorlabs.com/learn/trojanized-microsoft-sdk-durabletask-1-4-1-through-1-4-3-deliver-credential-stealing-malware

[18] Phoenix Security – TeamPCP Wave Four: GitHub Breach via Poisoned VS Code Extension (2026-05-21). https://phoenix.security/teampcp-github-breach-durabletask-pypi-supply-chain-wave-four-2026/

[19] Cobenian/shai-hulud-detect – Open Source Detection Tool.

https://github.com/Cobenian/shai-hulud-detect

[20] National Computer Virus Collaborative Analysis Platform. https://virus.cverc.org.cn/