Supply Chain Hunting Season - May edition

May has so far been a very busy month for Supply Chain Security (and not in a good way). We are now seeing the aftermath of TeamPCP’s big Feb/March attacks on Trivy play out.

As a refresher, TeamPCP (now known as UNC6780), the hacking group focused on supply chain hacks, found a CI pipeline vulnerability in Trivy, and exploited that to inject credential stealing malware in practically all versions of that software for a few hours. 

The compromised tool is used as a security tool in many other build pipelines as a security scanning step. As such, it ran across thousands of repos in a short amount of time, and wherever it ran, credentials found in CI/CD pipelines got compromised as well. 

The hacking group now had many credentials to go and further compromise additional packages, further poisoning the software supply chain. 

LiteLLM, Telnyx, Cisco, Checkmarx were among the first directly affected organizations.

And TeamPCP are not the only actors. PolinRider is attributed to DPRK. Some attacks (like Laravel lang) are not attributed to any known actor yet.

Which brings us to the last few weeks (timeline below). 

Here are some facts:

1. Supply chain attacks are increasing in frequency, sophistication, and damage
2. Multiple actors are now using the same tactics.
3. The payloads are getting pretty advanced (and nasty). Across the Shai-hulud, PolinRider, and Laravel - supply chain hacks, we have these capabilities (at a high level):
   
   1. Takedown resistant C2 using blockchain network
   2. Wiper on Github Token Revocation
   3. Password Vault Targeting (Bitwarden credential extraction)
   4. Advanced obfuscation
   5. AI coding assistant backdoors 
   6. Advanced credential harvesting (browser security bypass, cloud infra, crypto-wallet, PuTTY saved sessions + general ssh keys, etc)
   7. Targeting of 17 CI/CD platforms for credential harvesting 
4. It is no longer one actor, nor one way of doing things. Attackers have figured out just how vulnerable this area is.
   
   1. TeamPCP developed Shai-hulud, then open sourced it, and now there are copy cats.
   2. PolinRider (North Korea)
   3. Laravel Lang attacks is believed to be yet a different actor

What hackers are actually trying to do is obtain credentials for:

1. OSS developers machines or CI pipelines → this lets them poison the software that your developers and agents use
2. Credentials on your developer machines → this lets them steal / backdoor your own products
3. Credentials found in your CI/CD pipelines → this lets them steal / backdoor your own code, as well as pivot to production since your CI/CD pipelines typically contain privileged tokens

What you can do about it

1. Get visibility and control what gets installed (VSX extensions, npm/pypi/Github actions, etc) - on everything from the developer endpoint, all the way through your SCM and CI/CD pipelines, all the way to production.
2. Ensure your CI/CD pipelines are hardened/secure. This is harder than you think.
3. Assume your developer tokens are, or will soon be, compromised. Assume hackers can read, and maybe even write to repos in your organization.

There is a lot you can do. 

Yes, using artifact registries can help. 

Yes, ensuring SLSA provenance can help. 

Yes, having cooldown periods can help. 

But these are not enough.

This is happening to companies like Checkmarx, Aqua, Microsoft, OpenAI, and Github themselves. These companies know security. This problem is just too hard for now. 

We have been helping some of the biggest software teams protect against exactly these types of attacks for years now. We would love to help you as well. Reach out.

April 30th 2026 → May 23rd 2026 Supply Chain Security timeline.

April 30, 2026 — PyTorch Lightning PyPI

Malicious lightning 2.6.2 and 2.6.3 published; full credential theft on import

May 9, 2026 — Checkmarx Jenkins AST Plugin

Trojanized Jenkins plugin published to Jenkins Marketplace using credentials from the March Checkmarx breach

May 11, 2026 — TanStack (CVE-2026-45321, CVSS 9.6)

84 malicious versions across 42 @tanstack/* npm packages published via TanStack's own legitimate CI in ~6 minutes. Chained pull_request_target Pwn Request + Actions cache poisoning + OIDC token extraction from /proc/<pid>/mem. First-ever npm worm with valid SLSA Build Level 3 provenance. 170+ packages across npm + PyPI hit overall; >518M weekly downloads

May 11, 2026 — OpenAI, Mistral AI, UiPath, Guardrails AI, OpenSearch breached via TanStack

Two OpenAI employee devices compromised; limited credential exfil from internal repos; signing certs (macOS/Windows/iOS/Android) rotated. Nx core contributor's GitHub CLI OAuth token also silently stolen here — the seed for the GitHub breach a week later.

May 12, 2026 — TeamPCP open-sources Shai-Hulud worm

Source code published on GitHub under MIT ("Shai-Hulud: Open Sourcing The Carnage") with a BreachForums "supply chain attack contest" . Copycats appear within days.

May 12–13, 2026 (~14 hours) — Composer CVE-2026-45793 near-miss

GitHub's new GITHUB_TOKEN format with - breaks Composer's 2021-era regex → tokens printed in plaintext to public CI logs. Patched in Composer 2.9.8 / 2.2.28 / 1.10.28. No known exploitation

May 18, 2026 — Megalodon

SafeDep-tracked d-PPE campaign pushes 5,718 malicious commits into 5,561 GitHub repositories in 6 hours. Hudson Rock later confirms 33%+ of affected accounts trace directly to infostealer-infected developer workstations

May 18, 2026 — actions-cool/issues-helper GitHub Action

All tags rewritten to imposter commits exfiltrating CI/CD credentials 

May 18, 2026 — Nx Console v18.95.0 

Malicious VS Code extension published to Visual Studio Marketplace (~11 min live) and Open VSX (~36 min live), using the Nx contributor token stolen on May 11. Runs on activation; harvests GitHub, AWS, 1Password, Bitwarden, npm, PyPI, Anthropic Claude Code creds.

May 18–20, 2026 — GitHub's own internal repos breached 

~3,800 internal GitHub repositories exfiltrated. A GitHub employee installed compromised Nx Console v18.95.0 → SSH keys stolen → repos cloned at scale. Confirmed by GitHub; no customer data outside its internal repos affected. 

May 19, 2026 (01:39–02:18 UTC) — @antv npm

639 malicious versions across 323 unique packages in 22 minutes; 558/279 inside @antv itself. Includes echarts-for-react (1M+ weekly downloads). GitHub invalidated 61,274 npm tokens with write+2FA bypass in response. Targets credentials across GitHub, AWS, Kubernetes, 1Password.

May 19, 2026 — Microsoft durabletask PyPI

Malicious versions 1.4.1, 1.4.2, 1.4.3 published using compromised credentials, bypassing Microsoft's CI/CD pipeline entirely. Linux-only dropper; C2 check.git-service[.]com registered May 16

May 21, 2026 — @common-stack/generate-plugin npm (separate actor)

Versions 9.0.2-alpha.21 and 9.0.2-alpha.22 compromised. Attributed to PolinRider (DPRK APT) — not TeamPCP. Uses blockchain-anchored payload retrieval.

May 22–23, 2026 — Laravel-Lang

700+ tags across laravel-lang/lang, http-statuses, attributes, actions rewritten to malicious commits via org-wide push access. 15-module ~5,900-line PHP credential stealer; AES-256 encrypted exfil to flipboxstudio[.]info. Notably not formally attributed to TeamPCP in current reporting.

‍