Skip to content
.ca
sign in
4 minhigh

TeamPCP and BreachForums Launch $1,000 Contest for Supply Chain Attacks

TeamPCP has partnered with BreachForums to launch a supply chain attack contest, incentivizing threat actors to compromise open-source packages using the open-sourced Shai-Hulud worm. The campaign targets CI/CD pipelines and developer environments to harvest credentials, posing a significant risk of downstream enterprise compromises.

Sens:ImmediateConf:highAnalyzed:2026-05-14Google

Authors: Sarah Gooding

ActorsTeamPCPVectShinyHuntersLapsus$diencrackedShai-Hulud
Open SourceBreachForumsSupply ChainTeamPCPShai Hulud

Source:Socket

Detection / HunterGoogle

What Happened

Cybercriminals from TeamPCP and BreachForums have started a contest paying hackers $1,000 to infect open-source software packages. The attackers are targeting tools used by software developers to steal passwords and access codes. This matters because compromised developer tools can lead to massive data breaches at the companies that use them. Organizations should strictly monitor their software supply chains and secure their development environments with strong access controls.

Key Takeaways

  • TeamPCP and BreachForums have launched a contest offering $1,000 in Monero for the largest open-source supply chain compromise.
  • Participants are required to use the newly open-sourced 'Shai-Hulud' worm to conduct their attacks.
  • The scoring system incentivizes widespread, indiscriminate compromises across ecosystems like npm, PyPI, and Packagist based on download counts.
  • The primary goal of the campaign is to harvest CI/CD secrets, cloud credentials, and maintainer tokens for downstream monetization by access brokers.

Affected Systems

  • Open source package repositories (npm, PyPI, Packagist)
  • CI/CD workflows
  • GitHub Actions
  • Docker images
  • OpenVSX extensions
  • Developer workstations

Attack Chain

Threat actors are incentivized to compromise open-source packages across repositories like npm, PyPI, and Packagist using the Shai-Hulud worm. Once a package is compromised and downloaded by a victim, the worm executes within the developer environment or CI/CD pipeline. The malware then harvests sensitive information, such as cloud credentials, maintainer tokens, and source code access. These stolen credentials are subsequently exfiltrated and monetized by access brokers like TeamPCP for follow-on attacks against enterprise environments.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries are provided in the article.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can detect anomalous processes spawned by development tools (e.g., node, python) and unauthorized file access, but may struggle to differentiate legitimate package installations from malicious ones without specific behavioral rules. Network Visibility: Medium — Network monitoring can catch unexpected outbound connections from CI/CD environments to known malicious infrastructure or unauthorized CDNs. Detection Difficulty: Hard — Supply chain attacks blend in with legitimate development activities, making it difficult to detect malicious code execution during routine package installations.

Required Log Sources

  • Process Creation Logs (Event ID 4688 / Sysmon Event ID 1)
  • DNS Query Logs
  • CI/CD Pipeline Audit Logs
  • Network Flow Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Consider hunting for unexpected outbound network connections originating from CI/CD build runners or developer workstations during package installation phases.Network Flow Logs, DNS Query LogsCommand and Control / ExfiltrationMedium
If you have visibility into process ancestry, look for package managers (npm, pip) spawning unusual child processes like curl, wget, or unauthorized scripting shells.Process Creation LogsExecutionHigh

Control Gaps

  • Lack of egress filtering on CI/CD build nodes
  • Insufficient integrity checking for third-party dependencies

Key Behavioral Indicators

  • Anomalous child processes spawned by package managers
  • Unexpected access to environment variables or credential files (.aws/credentials, .env) during package installation

False Positive Assessment

  • Medium

Recommendations

Immediate Mitigation

  • Verify against your organization's incident response runbook and team escalation paths before acting.
  • Consider auditing recently updated or newly added open-source dependencies in critical projects for anomalous code.
  • Evaluate whether CI/CD secrets and maintainer tokens can be rotated if suspicious activity is detected.

Infrastructure Hardening

  • Consider implementing strict egress filtering on CI/CD build runners to prevent unauthorized data exfiltration.
  • Evaluate the use of private package repositories or dependency proxies to control and scan approved open-source packages.

User Protection

  • If supported by your tooling, enforce least privilege access for developer accounts and CI/CD service principals.
  • Consider implementing local endpoint monitoring on developer workstations to detect unauthorized access to credential stores.

Security Awareness

  • Consider training developers on the risks of supply chain attacks and the importance of verifying package integrity.
  • Evaluate incorporating secure coding practices and dependency review processes into standard developer onboarding.

MITRE ATT&CK Mapping

  • T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools
  • T1552 - Unsecured Credentials
  • T1078 - Valid Accounts

Related