TeamPCP: 317 npm Packages Poisoned in 20 Minutes

Published May 23, 2026 · by ALGERIATECH Editorial

⚡ Key Takeaways

In May 2026, threat group TeamPCP released 630+ malicious versions across 317 npm packages in 20 minutes — compromising TanStack (12 million weekly downloads), UiPath, and MistralAI integrations via CI/CD pipeline exploitation. The malware (mini Shai-hulud) carried valid cryptographic signatures, bypassed 2FA, stole AWS/GCP/Kubernetes credentials, persisted via VS Code and Claude Code config files, and exfiltrated data via Session, an anonymous messaging app.

Bottom Line: Engineering teams should audit GitHub Actions permissions across all repositories immediately, switch to hash-pinned dependencies for critical packages, and configure build environment egress filtering to block outbound messaging app connections — all three are this-sprint tasks requiring no new tooling.

Read Full Analysis ↓

🧭 Decision Radar

Relevance for Algeria
High
▾

Every Algerian software team using npm, Python packages, or open-source dependencies in their build pipelines faces the same exposure; Banxy, SofizPay, and enterprise IT teams building on JavaScript/Node.js stacks are directly in scope.

Infrastructure Ready?
Yes
▾

The defensive controls (GitHub Actions permission auditing, dependency pinning, egress filtering) run on the same infrastructure teams already use — no new platform investment required.

Skills Available?
Partial
▾

GitHub Actions configuration and CI/CD security are within the capability of most Algerian enterprise DevOps teams; SLSA attestation implementation requires more specialized knowledge currently available mainly in larger engineering teams.

Action Timeline
Immediate
▾

GitHub Actions permission audit and dependency pinning are this-sprint tasks; build environment egress filtering can be configured within a week on most CI/CD platforms.

Key Stakeholders
DevSecOps engineers, engineering leads, open-source maintainers, security architects

Decision Type
Tactical
▾

The required controls are configuration and workflow changes executable by engineering teams without organizational change.

Quick Take: Algerian engineering teams should complete three actions this sprint: run a GitHub Actions permissions audit across all repositories (enforcing minimum-permission permissions: blocks and manual approval for fork PRs), switch to hash-pinned dependencies for all critical packages, and configure build environment egress filtering to block outbound connections to messaging applications. These three changes close the specific attack vectors TeamPCP exploited and require no new tooling or budget.

630 Malicious Versions in 20 Minutes: The Timeline of the Mini Shai-Hulud Attack

On May 19, 2026, cybersecurity firms StepSecurity and SafeDep identified and issued warnings about an active supply chain attack against open-source npm packages. The scale was unprecedented in its speed: TeamPCP released over 630 malicious versions across 317 packages in approximately 20 minutes — a rate that suggests automated tooling was managing the package publication pipeline on the attacker’s behalf.

TeamPCP is a cloud-focused cybercriminal group that emerged in late 2025, specializing in automating supply-chain attacks and exploiting cloud-native infrastructure including Docker and Kubernetes environments. The group’s methodology in the mini Shai-hulud campaign is distinguished by several factors that set it apart from typical supply chain attacks:

The malicious updates carried valid cryptographic signatures — proving the attackers had compromised the CI/CD pipelines themselves, not merely the developer accounts
The malware bypassed two-factor authentication through the CI/CD pipeline compromise
The attack exploited overly broad GitHub Actions workflow permissions, using orphaned commits (code pushed to repository forks without corresponding branches) to inject the malicious dependency
The payload — a heavily obfuscated 2.3-megabyte module disguised as an initialization package — was fetched as a concealed dependency, not as a direct package modification

The TanStack React Router package alone receives over 12 million weekly downloads. OpenAI employee computers were compromised through the TanStack library in an earlier wave of the same campaign, demonstrating that the downstream blast radius of a high-download-rate package compromise extends far beyond the package’s direct users.

How Mini Shai-Hulud Works: The Full Kill Chain

Understanding the attack mechanics is prerequisite to building defences. The mini Shai-hulud campaign operates across five phases:

Phase 1 — CI/CD pipeline compromise. TeamPCP gained access to the CI/CD pipelines of target packages — not just the developer accounts. The attack exploited overly broad GitHub Actions workflow permissions. By pushing orphaned commits (commits that exist on a fork without a corresponding branch reference), TeamPCP could trigger CI/CD actions without the commit appearing in the standard pull request review flow. This is a structural weakness in how many open-source projects configure their GitHub Actions workflows.

Phase 2 — Signed malicious release. Because the attack occurred inside the CI/CD pipeline, the malicious release was signed with the package’s legitimate cryptographic signing key. This is the critical distinction from typical supply chain attacks: signature verification — the standard recommended defence — provides no protection when the signing infrastructure itself is compromised.

Phase 3 — Concealed dependency delivery. The malware arrived not as a visible change to the package’s public code, but as a concealed dependency that fetched a heavily obfuscated 2.3-megabyte payload disguised as an initialization module. Standard code review of the package diff would not reveal the malicious content — it would require analysis of the full dependency tree and the fetched payload.

Phase 4 — Credential exfiltration. Upon execution, the malware uses Bun (a JavaScript runtime) to systematically extract: AWS credentials from standard credential file locations, Google Cloud Platform access tokens, Kubernetes configuration files, HashiCorp Vault tokens, and local SSH keys and secret files. The CyberScoop analysis notes that stolen data was exfiltrated via Session, an anonymous messaging application — disguising the data theft as encrypted chat traffic and evading network monitoring tools that flag unusual outbound connections.

Phase 5 — Persistence via IDE integration. The malware embedded itself into configuration files for Visual Studio Code and Claude Code, ensuring automatic execution when developers opened projects containing the compromised package. This persistence mechanism survives package removal and turns compromised developer workstations into persistent exfiltration nodes.

What Security Engineers Should Do About Open-Source Supply Chain Risk

1. Audit GitHub Actions workflow permissions across all repositories immediately

The mini Shai-hulud attack exploited overly broad GitHub Actions permissions — a misconfiguration that is endemic in open-source and enterprise repositories. Run esecurityplanet.com’s supply chain security checklist against every repository in your organization: each workflow should run with the minimum permissions required (use permissions: blocks explicitly, not the default broad grant), pull request triggers from forks should require manual approval before workflows execute, and the GITHUB_TOKEN scope should be restricted to the specific resources each workflow needs. This audit is a one-time effort that closes the primary attack vector mini Shai-hulud exploited — and that dozens of other supply chain attack campaigns have used.

2. Pin dependencies to verified commit hashes, not version ranges

Most package.json and requirements files specify version ranges (^1.2.3, ~2.0.0) that resolve to the latest compatible version at install time. This means a malicious update to a dependency will automatically reach your build the next time you run npm install — which in a CI/CD pipeline is every build. Pinning dependencies to specific verified commit hashes (using tools like Renovate or Dependabot with hash pinning) means that a compromised package update does not automatically reach your build environment. The operational overhead is a weekly dependency update review cycle; the security benefit is that you control exactly which code version is executed. Sonatype’s 2026 State of the Software Supply Chain identifies version-range resolution as the most common mechanism through which malicious package updates reach enterprise builds.

3. Monitor for anomalous outbound connections from build environments, specifically to messaging apps

Mini Shai-hulud exfiltrated stolen credentials via Session, an anonymous messaging application — a technique specifically designed to evade network monitoring tools that focus on unusual external IP connections. Build environments should have egress filtering: CI/CD pipeline runners should only be permitted to make outbound connections to package registries (npm, PyPI, Maven), cloud provider APIs, and explicitly whitelisted endpoints. Any connection to a messaging application (Session, Telegram, WhatsApp, or similar) from a build runner should trigger an immediate alert. This control also catches other malware families that use messaging infrastructure for exfiltration — the technique is now documented enough to treat as a detection category.

4. Implement SLSA Level 2 or higher for packages you maintain

If your organization publishes open-source packages — or internal packages through a private registry — implementing Supply-chain Levels for Software Artifacts (SLSA) Level 2 provides provenance attestation: each build generates a signed attestation that describes exactly what inputs (source, toolchain, build environment) produced what outputs (the published package). This makes it possible for downstream consumers to verify that a package version they install corresponds to a specific reviewed source commit, and was built by an authenticated build process. SLSA Level 2 closes the orphaned commit attack vector that TeamPCP exploited: the attestation would fail if the build process was triggered by an orphaned commit rather than a reviewed and merged source commit.

The Correction Scenario: What Happens if the Industry Does Not Act

The mini Shai-hulud campaign represents an escalation in supply chain attack sophistication that has a predictable trajectory if left unaddressed. The four characteristics that made it effective — CI/CD pipeline compromise rather than developer account compromise, cryptographically signed malicious releases, concealed dependency delivery, and messaging-app-based exfiltration — are all now documented and replicable by threat actors with access to the original campaign’s tools and methodology.

Sonatype’s research tracks open-source malware as a growing category: the 2026 State of the Software Supply Chain report documents systematic growth in malicious package uploads across npm, PyPI, and Maven since 2021. TeamPCP’s 20-minute, 317-package operation demonstrates that the logistics of supply chain attacks have been automated — the constraint on attacker scale is no longer manual effort but target identification and CI/CD access.

The defensive response — GitHub Actions permission audits, dependency hash pinning, build environment egress filtering, SLSA attestation — is not exotic or expensive. It is mostly configuration hygiene that is already recommended by GitHub, npm, and the SLSA project. The gap between the recommended practice and the actual practice in enterprise and open-source repositories is the attack surface. Closing that gap, systematically and soon, is the correct response to a campaign that has demonstrated both the methodology and the automation to operate at scale.

Follow AlgeriaTech on LinkedIn for professional tech analysis Follow on LinkedIn

Follow @AlgeriaTechNews on X for daily tech insights Follow on X

Frequently Asked Questions

How did TeamPCP bypass two-factor authentication on developer accounts?

TeamPCP did not attack developer accounts directly — they compromised the CI/CD pipeline itself, specifically by exploiting overly broad GitHub Actions workflow permissions. By pushing orphaned commits (code changes to forks without corresponding branch references), they could trigger CI/CD workflows without the commit appearing in the standard pull request review process. Because the CI/CD pipeline had the signing credentials and package publishing credentials, the malicious release was signed with the legitimate key and published through the legitimate pipeline — bypassing 2FA at the account level entirely.

What makes mini Shai-hulud harder to detect than typical supply chain attacks?

Three technical factors make it unusually difficult to detect with standard tools. First, the malicious releases carried valid cryptographic signatures — meaning signature verification tools report them as legitimate. Second, the malicious payload arrived as a concealed dependency (fetched at runtime) rather than as visible code in the package diff — meaning a code review of the package change would not reveal the malware. Third, stolen credentials were exfiltrated via Session (an anonymous messaging application), disguising the data theft as encrypted chat traffic and evading network monitoring tools focused on unusual outbound IP connections.

Does SLSA attestation fully prevent supply chain attacks like mini Shai-hulud?

SLSA attestation at Level 2 would have significantly complicated the mini Shai-hulud attack by requiring each build to produce a signed provenance attestation linking the published package to a specific reviewed source commit and authenticated build process. An orphaned-commit-triggered build would fail to produce a valid attestation matching an approved source commit, alerting downstream consumers. However, SLSA is not a complete defence: if an attacker compromises the build environment itself (rather than the GitHub Actions workflow), they may be able to produce false attestations. SLSA Level 2 is a significant improvement over no attestation; SLSA Level 3 (isolated, hermetic builds) provides stronger guarantees.