TeamPCP 2026 Package Compromise Campaign
TeamPCP's 2026 package compromises formed a cross-ecosystem campaign against official open-source distribution paths, including PyPI, npm, Packagist, and CI/CD trusted publishing workflows. The member attacks share credential theft, developer secret harvesting, GitHub or package-registry token abuse, and repeated propagation attempts through compromised build and release infrastructure. Some records are small package-specific intrusions, while later Mini Shai-Hulud waves became broad worm activity. This campaign groups those records without forcing package-level evidence into one oversized attack file.
- Date
- 2026-03-21 to 2026-05-12
- Category
- Open Source
- Package Records
- 12
- Impact
- Credential theft
- Cause
- CI/CD Exploit
- Attribution
- TeamPCP
Campaign Context
- Motive
- Credential Theft
- Target Surface
- Build/CI
- Observed Duration
- 52 days
External References
Package Records
opengov-form-builder, litellm, telnyx, bitwarden-cli, xinference, sap-cap-js, intercom-client, intercom-php, pytorch-lightning, tanstack-router, mistralai-python, opensearch-js
Source Data
Source record: oss/campaigns/teampcp-2026/meta.yaml