The TeamPCP supply chain attack 2026 GitHub breach was confirmed on May 20 in the early hours of Pacific Time, when GitHub published a security notice that documented something that had never happened to the platform before: a criminal group had exfiltrated approximately 3,800 of the company’s internal repositories. The attack did not require broken cryptography or misconfigured servers. It required one GitHub employee installing a compromised Visual Studio Code extension downloaded directly from the official marketplace. The group responsible is TeamPCP — tracked as UNC6780 by Google Threat Intelligence Group — the same collective that has conducted a continuous cascade of supply chain attacks since March 2026 against Trivy, Checkmarx, Bitwarden, LiteLLM, TanStack, MistralAI, and Telnyx. GitHub is not a victim. It is the latest target in a methodical campaign.
What TeamPCP Is and How It Operates
TeamPCP (also tracked as UNC6780, DeadCatx3, PCPcat, ShellForce, and CanisterWorm) is a cybercriminal group that specializes in supply chain attacks targeting open-source security utilities and AI middleware. The group has been active since at least late 2025 and has turned the tools and practices built for high-velocity software deployment into delivery mechanisms for malware.
The group’s most effective method exploits GitHub Actions workflows — specifically the pull_request_target trigger, which grants elevated permissions to pull requests from forks and creates an attack surface that many maintainers have misconfigured. TeamPCP leverages access to tools used in CI/CD pipelines to distribute credential-stealing malware, hoovering up package registry tokens, cloud credentials, SSH keys, Git credentials, personal access tokens, and any secret available in a CI/CD environment. The Mini Shai-Hulud worm — TeamPCP’s adapted version of a self-replicating worm first documented in 2025 — largely automates supply chain attacks by stealing CI/CD credentials and using them to publish infected versions of further packages.
The Full Attack Timeline: March Through May 2026
The TeamPCP supply chain attack GitHub 2026 breach is the culmination of at least seven confirmed attack waves documented by Trend Micro, Okta, and multiple other threat intelligence organizations since March 2026.
March 19: Trivy, Aqua Security’s vulnerability scanner, was compromised via GitHub Actions — the first confirmed TeamPCP wave. March 23: Checkmarx KICS GitHub Action was compromised via stolen personal access tokens. March 23-24: Checkmarx VS Code extensions were poisoned on OpenVSX and the LiteLLM PyPI packages v1.82.7 and v1.82.8 were infected. March 27: Telnyx PyPI was compromised. April 15: The Vect ransomware group began publishing victims with data attributed to TeamPCP-stolen credentials — showing how the initial CI/CD credential theft converted into ransomware operation fuel for downstream criminal actors. April 22: Checkmarx KICS Docker Hub was poisoned alongside VS Code and GitHub Actions simultaneously. April 23: The downstream hijack of @bitwarden/cli v2026.4.0 using stolen KICS npm tokens was confirmed. April 24: elementary-data PyPI and GitHub Container Registry were compromised via GitHub Actions script injection. May 20: GitHub itself was breached.
How the GitHub Breach Happened: The VS Code Extension Vector
The GitHub breach mechanism is both technically simple and organizationally alarming. GitHub’s investigation revealed that the attackers accessed internal repositories after a GitHub employee installed a poisoned Visual Studio Code extension downloaded from the official VS Code marketplace — Microsoft’s own extension distribution platform with more than 30 million active users.
GitHub’s official statement confirmed the attack path: “We removed the malicious extension version, isolated the endpoint, and began incident response immediately.” The poisoned extension gave TeamPCP access to the employee’s developer workstation, from which it was able to pivot to approximately 3,800 internal GitHub repositories. TeamPCP then advertised the stolen source code on a cybercrime forum and offered to sell it for $50,000, threatening to leak it for free if no buyer came forward.
GitHub’s current assessment is that the activity involved exfiltration of GitHub-internal repositories only. Customer data is described as unaffected. The attacker’s claimed figure of approximately 3,800 repositories is described by GitHub as directionally consistent with their internal investigation.
The Downstream Victims: European Commission and Beyond
The TeamPCP supply chain attack GitHub 2026 campaign’s impact extends well beyond the organizations directly compromised. The European Commission is confirmed among the downstream victims of TeamPCP’s earlier supply chain compromises — an indication that the group’s reach has penetrated government and institutional infrastructure through the open-source tool supply chain that both public and private organizations share.
The cascading nature of the attack is what makes TeamPCP particularly dangerous. Each compromise generates credentials that enable the next compromise. Stolen npm tokens from Checkmarx KICS enabled the Bitwarden CLI hijack. Stolen CI/CD credentials from earlier waves were resold to ransomware operators who used them to identify and attack additional victims. The group is not simply stealing data — it is building a self-funding credential pipeline that converts each compromise into the fuel for subsequent attacks.
The CVE and Technical Details
The March 19 Trivy compromise was formally catalogued as CVE-2026-33634 with a CVSS score of 9.4 — one of the highest severity ratings assigned to a supply chain compromise event this year. The root cause was incomplete credential rotation after a February 28 breach. The aqua-bot service account personal access token was either not revoked or the attacker observed the new token during rotation. TeamPCP used the retained access to force-push version tags to malicious imposter commits, with each forged commit cloning the original’s metadata to evade detection.
The CanisterWorm variant of the malware adds a particularly sophisticated persistence mechanism: a systemd user service masquerading as pgmon (PostgreSQL monitoring) that checks in with a command-and-control server and can receive new payloads without requiring republication of any npm package. A kill switch exists — if the canister returns a URL containing youtube.com, the backdoor sleeps. A destructive Iran-targeting variant deploys privileged Kubernetes DaemonSets across every node and wipes systems via a container named kamikaze.
What Security Experts Are Saying
The TeamPCP supply chain attack GitHub 2026 breach has produced some of the most direct expert commentary of the year from the security community. Mackenzie Jackson, Developer Relations at Aikido Security, framed the structural problem precisely: “Developer workstations are the number one target in supply chain attacks right now, and this is exactly why. TeamPCP has compromised Trivy, Checkmarx, Bitwarden CLI, TanStack, and now GitHub, all in 2026, all through developer tooling. A single VS Code extension on one employee’s machine was enough to get access to 3,800 internal GitHub repositories. Most security teams still have zero visibility into what extensions or packages are on their developers’ machines, or how recently they were published.”
That observation is the most operationally important in the entire breach story. The attack did not exploit a vulnerability in GitHub’s servers, its authentication systems, or its infrastructure. It exploited the absence of visibility into what software employees install on their own workstations. That is a gap that exists in the vast majority of technology organizations regardless of their security budget or team size.
What Organizations Need to Do Now
The TeamPCP supply chain attack GitHub 2026 campaign identifies several specific defensive actions that security teams should prioritize immediately. Okta’s threat intelligence team identified the exploitation of the pull_request_target trigger in GitHub Actions as TeamPCP’s most impactful attack method. Organizations using GitHub Actions should audit all workflows that use this trigger and ensure they do not grant elevated permissions to code from uncontrolled forks.
Identity and access management controls for developer and maintainer accounts are the second critical priority. TeamPCP’s credential-stealing malware specifically targets package registry tokens, cloud credentials, and personal access tokens stored in CI/CD environments. Any secret that exists in a CI/CD pipeline environment variable, configuration file, or developer workstation is a potential target. Rotating credentials after any supply chain compromise in the ecosystem — even one that appears not to have directly affected your organization — is now best practice rather than optional.
Broader Implications: The Developer Toolchain as Attack Surface
The TeamPCP supply chain attack GitHub 2026 story is the clearest articulation yet of why the software supply chain is now the primary attack surface for sophisticated threat actors. GitHub hosts code for more than 100 million developers worldwide. VS Code has more than 30 million active users. The open-source tools TeamPCP has compromised — Trivy, Checkmarx KICS, LiteLLM, Bitwarden CLI — are used by millions of organizations in their security and development workflows.
The lesson is not that these tools are insecure. The lesson is that any tool used in a developer’s workflow is a potential entry point into that developer’s organization. The extension marketplace, the npm registry, the PyPI index, the Docker Hub — all of these are trusted by default in most development environments, and that trust is precisely what TeamPCP has spent 2026 systematically exploiting. For more on the biggest stories in cybersecurity and technology, visit The Tech Marketer.
Latest Updates
The TeamPCP supply chain attack GitHub 2026 breach was confirmed May 20. Here is where to follow the full investigative coverage:
- WIRED has the complete TeamPCP software supply chain attack spree investigation — covering the full campaign timeline across GitHub, npm, PyPI, Docker Hub, and OpenVSX, including the technical mechanisms and the Mini Shai-Hulud worm’s role in automating each subsequent compromise. Read more at WIRED
- The Record from Recorded Future News has the breaking GitHub breach confirmation including GitHub’s official statement, the VS Code extension attack vector, the 3,800 repository exfiltration claim, the $50,000 ransom demand, and confirmation that customer data is unaffected. Read more at The Record
- Help Net Security has the full technical breakdown of the GitHub breach including TeamPCP’s UNC6780 tracking designation, the Mini Shai-Hulud worm mechanics, the full list of previously compromised targets, and GitHub’s incident response actions. Read more at Help Net Security
FAQ: TeamPCP Supply Chain Attack GitHub 2026
1. What did TeamPCP steal from GitHub? TeamPCP exfiltrated approximately 3,800 internal GitHub repositories after compromising a GitHub employee’s device through a poisoned VS Code extension downloaded from the official Microsoft marketplace. GitHub confirmed the breach on May 20, 2026, and stated that customer data was unaffected. The attackers offered the stolen source code for sale on a cybercrime forum for $50,000.
2. How did the TeamPCP GitHub breach happen? A GitHub employee installed a malicious Visual Studio Code extension from the official VS Code marketplace. The compromised extension gave TeamPCP access to the employee’s developer workstation, from which the group pivoted to approximately 3,800 internal GitHub repositories. GitHub removed the malicious extension, isolated the endpoint, and began incident response immediately.
3. What other organizations has TeamPCP attacked in 2026? TeamPCP has conducted at least seven confirmed supply chain attack waves since March 2026, compromising Aqua Security’s Trivy vulnerability scanner, Checkmarx KICS via Docker Hub and VS Code, LiteLLM, the Telnyx SDK, Bitwarden CLI, TanStack, MistralAI, and elementary-data. The European Commission is confirmed among the downstream victims. Credentials stolen in these attacks were also used by the Vect ransomware group to identify additional targets.
4. What is the Mini Shai-Hulud worm used by TeamPCP? Mini Shai-Hulud is TeamPCP’s adapted version of a self-replicating worm first documented in 2025. It automates supply chain attacks by stealing CI/CD credentials from compromised developer environments and using them to publish infected versions of additional packages — creating a cascading credential pipeline that converts each compromise into fuel for subsequent attacks without requiring the attackers to manually operate each stage.
5. How can organizations protect against TeamPCP-style supply chain attacks? Security teams should audit all GitHub Actions workflows using the pull_request_target trigger, which grants elevated permissions to fork-based pull requests and is TeamPCP’s most impactful attack vector. They should implement visibility into developer workstation software including VS Code extensions, rotate all credentials after any related ecosystem compromise, treat package registry tokens and CI/CD secrets as high-value targets requiring the same protection as production credentials, and audit recently published open-source packages used in their build pipelines.
Sources and References
- WIRED: TeamPCP’s Software Supply Chain Attack Spree on GitHub
- The Record from Recorded Future News: GitHub Confirms Being Hacked by TeamPCP, Says Customer Data Unaffected
- Help Net Security: TeamPCP Breached GitHub’s Internal Codebase via Poisoned VS Code Extension
