TeamPCP
TeamPCP is a financially motivated cybercrime group focused on software supply chain attacks against open source ecosystems and developer tooling. Known aliases in the provided content include DeadCatx3, PCPcat, PersyPCP, ShellForce, team_pcp, and UNC6780; Mandiant tracks the cluster as UNC6780, and one source also notes Trend Micro tracking as SHADOW-WATER-058. The group is repeatedly linked to the Shai-Hulud / Mini Shai-Hulud malware family and later variants including Miasma and activity described as Hades, although multiple sources note attribution became less certain after TeamPCP publicly released the worm source code under an MIT license on May 12, 2026, turning it into public attack infrastructure. Based on the provided content, TeamPCP conducted or was linked with high confidence to multiple 2026 supply chain intrusions affecting developer ecosystems, including compromises involving GitHub internal repositories, Microsoft durabletask on PyPI, Aqua Security Trivy, Checkmarx KICS, LiteLLM, Telnyx, TanStack packages, Red Hat-related npm namespaces, and broader npm and PyPI package poisoning campaigns. The group also claimed responsibility for the GitHub breach in which a poisoned VS Code extension installed by a single employee led to exfiltration of roughly 3,800 internal repositories; GitHub said the attackers' claims were directionally consistent. Reporting in the content describes TeamPCP as targeting developer workstations, CI/CD systems, package registries, GitHub repositories, GitHub Actions, and trusted publishing workflows. Tactics and techniques directly described in the content include poisoning npm and PyPI packages; compromising developer accounts and contributor accounts; abusing GitHub Actions, OIDC trusted publishing, and SLSA/Sigstore provenance paths; exploiting pull_request_target misconfigurations; cache poisoning; stealing npm, PyPI, GitHub, SSH, cloud, Kubernetes, Vault, and CI/CD secrets; using malicious VS Code extensions; inserting malicious IDE and AI-tool configuration files such as .vscode/tasks.json, .claude/settings.json, .cursor/rules/setup.mdc, and .gemini/settings.json; using Python .pth persistence; downloading Bun to execute JavaScript stealers; scraping OIDC tokens from GitHub Actions runner memory; exfiltrating data via GitHub-based channels; and rapidly validating and operationalizing stolen credentials for cloud reconnaissance, repository cloning, workflow abuse, and further propagation. The content also states that TeamPCP open-sourced Mini Shai-Hulud / Shai-Hulud and announced a supply-chain attack contest on BreachForums, which researchers said lowered the barrier for copycat attacks and complicated later attribution.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Software & Services
Tradecraft
43 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
15 malware families attributed to this actor across reporting.
10 additional families tracked in Mallory.
Associated vulnerabilities
7 CVEs this actor has used in observed campaigns. 7 of them exploited in the wild.
ownCloud published a security notice confirming their build infrastructure -- the systems producing container images and client binaries -- was affected by CVE-2026-33634 (the Trivy compromise).
On 2026-05-27, CISA added three vulnerabilities to the KEV catalog, including CVE-2026-45321 (the TanStack / Mini Shai-Hulud tracking identifier) ... Treat the 2026-06-10 CISA remediation deadline for CVE-2026-45321 and CVE-2026-48027 as binding.
On December 19th 2025, Rubrik Zero Labs published PCPcat Campaign: Large-Scale Exploitation of React2Shell CVE and Cloud Infrastructure, detailing a campaign where TeamPCP weaponised CVE-2025-55182 (React2Shell) alongside exposed Docker APIs, Redis servers, Kubernetes clusters, and Ray AI dashboards.
Analysis of react.py This script is clearly set to exploit CVE-2025-29927, also known as React2Shell. ... This script implements a fully automated React/Next.js exploitation pipeline centered on abusing CVE-2025-29927 to achieve remote command execution at scale.
On 2026-05-27, CISA added three vulnerabilities to the KEV catalog ... CVE-2026-48027 (the malicious code embedded in the Nx Console v18.95.0 build) ... The next day, CISA published its first standalone advisory ... documenting the poisoned Nx Console VS Code extension auto-distributed through the editor update mechanism.
2 more CVEs tied to this actor tracked in Mallory.
Observables
532 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Linked to the early waves of the Shai-Hulud V2 campaign, which expanded from npm into PyPI and shifted toward CI/CD abuse, undermining trust in SLSA provenance and OIDC-based publishing workflows. The campaign also extended malicious execution into IDE configuration files and used prompt injection to evade AI security scanners.
Operator assessed as responsible for earlier Shai-Hulud supply-chain attack waves, including expansion from npm to PyPI, CI/CD abuse, OIDC token scraping, malicious package publishing with valid provenance, IDE configuration abuse, and prompt-injection-based evasion of AI security scanners.
Associated with publicly releasing the source code of the Shai-Hulud worm, which is described as a precursor/variant basis for Miasma and enables supply-chain style compromise of open-source ecosystems.
Associated with compromising Microsoft's DurableTask PyPI package to deploy a sophisticated multi-stage supply chain attack focused on credential theft and access to cloud infrastructure, developer environments, GitHub, Kubernetes, and Vault.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.