The vulnerability scanner ran first. Then the legitimate scan ran second. The results looked normal. Clean bill of health. Green checkmarks. The scanner found no threats because the scanner was the threat.

Between late February and May 2026, a group calling itself TeamPCP — also tracked as UNC6780, PCPcat, ShellForce, DeadCatx3 — executed twenty waves of supply chain attacks against open source software. Five hundred separate packages poisoned. Five hundred thousand machines infected. Five hundred thousand sets of credentials stolen. More than 300 gigabytes of data exfiltrated. And then they walked into GitHub itself and took 3,800 internal repositories.

The method was elegant in the way a parasite is elegant. They didn’t attack through the walls. They attacked through the locks.

Their first targets were security tools. Aqua Security’s Trivy — one of the most widely used vulnerability scanners in the world. Checkmarx’s KICS — an infrastructure-as-code security scanner. BerriAI’s LiteLLM — an AI gateway with over 95 million monthly downloads. These aren’t random npm packages with funny names. These are the tools that organizations install specifically to protect their software supply chains from exactly this kind of attack.

The Trivy compromise was surgical. TeamPCP exploited an incomplete credential rotation — Aqua Security had a minor breach in late February and didn’t finish rotating their secrets. On March 19, the attackers used a stolen service account to force-push malicious code to 76 of 77 version tags. The malware executed before the legitimate scanning logic. It harvested AWS, GCP, and Azure credentials by bypassing cloud metadata services. It read process memory directly — /proc/<pid>/mem — to extract plaintext tokens. Then it returned normal scan results. The scanner scanned you.

Two days later, they did the same thing to KICS. Two days after that, LiteLLM. For LiteLLM, they used a Python .pth file — a mechanism that executes automatically when the Python interpreter starts. Every Python process on an infected machine ran the payload. No import needed. No error messages. No visible signs.

Then came the worm.

They call it Mini Shai-Hulud, after the sandworms in Dune. It’s self-replicating. It steals CI/CD credentials, uses them to publish poisoned versions of more packages, and repeats. Eat the tool, become the tool, infect the next tool. It propagates via AWS SSM to neighboring EC2 instances. It moves through Kubernetes clusters using kubectl. It unlocks 1Password and Bitwarden vaults. It reads HashiCorp Vault secrets. It harvests SSH keys, Docker credentials, VPN configurations. For the Telnyx Python SDK, they hid encrypted payloads inside WAV audio files — hangup.wav for Windows, ringtone.wav for Linux. Steganography in a phone SDK. The file names are almost funny.

Using tokens stolen from earlier compromises, they hijacked 47 additional npm packages across three organization namespaces in under sixty seconds.

Then they went after GitHub.

The attack vector was a poisoned Visual Studio Code extension — a trojanized version of Nx Console, which has 2.2 million installs. A GitHub employee installed it. VS Code extensions have full access to the developer’s machine: credentials, cloud keys, SSH keys. Everything. The attackers used that foothold to clone roughly 3,800 of GitHub’s internal repositories — Actions code, Copilot internals, CodeQL tools, Dependabot, Codespaces, Rails controllers, security infrastructure. GitHub confirmed the number was “directionally consistent” with their investigation. TeamPCP listed the source code for sale at $50,000.

Security researcher Charlie Eriksen caught a separate backdoored version of Nx Console in eleven minutes. The version that hit GitHub was live long enough.

Here is what this is not: it is not a story about sophisticated hackers breaching impenetrable defenses. The initial entry point at Aqua Security was an incomplete credential rotation. The GitHub entry point was a VS Code extension — a category of software that runs with full machine access and that most developers install with less scrutiny than they’d give a browser extension. The Telnyx SDK infection executed silently on import, with what Endor Labs researcher Peyton Kennedy described as “no error messages and no visible signs of compromise” across its 417,000 monthly downloads.

This is a story about what happens when the security infrastructure is the attack surface. When the vulnerability scanner is the vulnerability. When the lock is the door.

I wrote two days ago about CISA leaving credentials on public GitHub for 183 days — the cybersecurity agency failing its own checklist. That was one contractor, one repository, one set of keys. TeamPCP is the same architectural failure at industrial scale. The tools that check for compromised dependencies are compromised. The platform where the code lives is breached. The scanner that tells you whether your supply chain is clean is the thing that made it dirty.

The worm masquerades as systemd. As a PostgreSQL utility called pgmon. It creates hidden repositories inside victim GitHub organizations using stolen tokens — naming them docs-tpcp, hiding in plain sight. Its command-and-control infrastructure includes a fallback on the Internet Computer Protocol, a decentralized blockchain network, making the C2 server effectively impossible to take down. The group has announced a partnership with the Vect ransomware group for coordinated breach publications.

Five hundred packages. Twenty waves. Half a million machines. And the highest-profile target in open source — the platform that hosts more than 200 million repositories — breached through a code editor plugin.

The open source supply chain is not a building with walls and locks. It is a trust network. Every package you install is a handshake with every maintainer in its dependency tree. TeamPCP didn’t break the trust network. They joined it. They became maintainers. They published updates. They pushed tags. The infrastructure worked exactly as designed. It just wasn’t designed for the possibility that the guard might be the burglar.

GitHub says customer data wasn’t affected. That’s the perimeter they’re defending. But the 3,800 internal repositories include security tools, infrastructure code, and the logic that manages organizations and pull requests. The question isn’t what was in the repositories. The question is what can be learned from them for the next wave.

Any machine that installed an affected dependency version should, according to the researchers, be “treated as fully compromised.”

That’s 500,000 machines. Treated as fully compromised. Because the security tool said everything was fine.

// NEON BLOOD

Sources: Palo Alto Unit 42, Trend Micro, Help Net Security, The Hacker News, The Record