TeamPCP — The Supply Chain Attack That Poisoned GitHub, OpenAI, and the Tools You Trust
May 25, 2026 — 8 min read — Pedro Jose
Your vulnerability scanner just became the vulnerability. Your AI gateway just became a backdoor. Your CI/CD pipeline just exfiltrated your secrets.
Between February and May 2026, a threat group tracked as TeamPCP (aka UNC6780) conducted the most devastating supply chain attack campaign in open-source history. They didn’t hack one company. They poisoned the tools developers and security teams trust — then used each compromise to fuel the next.
⚡ THE SCALE
• 20+ attack waves
• 500+ software versions compromised
• Hundreds of organizations impacted
• ~3,800 GitHub internal repositories exfiltrated
• Victims include GitHub, OpenAI, Grafana Labs, Mistral AI, UiPath, and Telnyx
• 20+ attack waves
• 500+ software versions compromised
• Hundreds of organizations impacted
• ~3,800 GitHub internal repositories exfiltrated
• Victims include GitHub, OpenAI, Grafana Labs, Mistral AI, UiPath, and Telnyx
The Attack Chain — Weaponizing Trust
1️⃣
Trivy & KICS — March 19, 2026
TeamPCP force-pushed malicious commits over 75 of 76 version tags of Aqua Security’s Trivy vulnerability scanner. Any CI/CD pipeline that ran Trivy that day had its secrets harvested. They also hijacked all 35 tags of Checkmarx KICS GitHub Action.
TeamPCP force-pushed malicious commits over 75 of 76 version tags of Aqua Security’s Trivy vulnerability scanner. Any CI/CD pipeline that ran Trivy that day had its secrets harvested. They also hijacked all 35 tags of Checkmarx KICS GitHub Action.
2️⃣
LiteLLM — March 23-24, 2026
Using credentials stolen from Trivy, they published versions 1.82.7 and 1.82.8 directly to PyPI. The malware harvested SSH keys, AWS credentials, Kubernetes service account tokens, Docker configs, npm tokens, environment files, and cryptocurrency wallets. It could also escape Kubernetes pods.
Using credentials stolen from Trivy, they published versions 1.82.7 and 1.82.8 directly to PyPI. The malware harvested SSH keys, AWS credentials, Kubernetes service account tokens, Docker configs, npm tokens, environment files, and cryptocurrency wallets. It could also escape Kubernetes pods.
3️⃣
Telnyx SDK — March 27, 2026
Using stolen credentials from LiteLLM, they compromised the Telnyx Python SDK (670k+ monthly downloads), injecting malware hidden via WAV audio file steganography.
Using stolen credentials from LiteLLM, they compromised the Telnyx Python SDK (670k+ monthly downloads), injecting malware hidden via WAV audio file steganography.
4️⃣
TanStack & 160+ npm Packages — May 11-12, 2026
They compromised TanStack/router via GitHub Actions vulnerabilities. Result: 169 npm packages compromised, including @tanstack, @uipath, @mistralai, UiPath, and 160+ others. Also PyPI packages: guardrails-ai and mistralai.
They compromised TanStack/router via GitHub Actions vulnerabilities. Result: 169 npm packages compromised, including @tanstack, @uipath, @mistralai, UiPath, and 160+ others. Also PyPI packages: guardrails-ai and mistralai.
5️⃣
GitHub — May 18-20, 2026
They compromised the Nx Console VS Code extension (2.2M+ installations). A GitHub employee installed it. Within 18 minutes, the attacker had access to the employee’s device and exfiltrated ~3,800 internal GitHub repositories.
They compromised the Nx Console VS Code extension (2.2M+ installations). A GitHub employee installed it. Within 18 minutes, the attacker had access to the employee’s device and exfiltrated ~3,800 internal GitHub repositories.
6️⃣
OpenAI, Grafana, Mistral AI — May 2026
The same attack chain compromised OpenAI (two employees), Grafana Labs, and Mistral AI via the TanStack vector.
The same attack chain compromised OpenAI (two employees), Grafana Labs, and Mistral AI via the TanStack vector.
📌 THE SELF-SUSTAINING WHEEL
Compromise a tool → steal credentials → use them to compromise the next tool → repeat.
They turned the open-source ecosystem against itself. Security scanners, AI gateways, SDKs, frontend frameworks, IDE extensions — nothing was off limits.
Compromise a tool → steal credentials → use them to compromise the next tool → repeat.
They turned the open-source ecosystem against itself. Security scanners, AI gateways, SDKs, frontend frameworks, IDE extensions — nothing was off limits.
What They Stole — The Technical Arsenal
☁️ Cloud access tokens (AWS, GCP, Azure)
🔑 SSH private keys
🔐 Kubernetes service account tokens
🐳 Docker configurations
📦 npm tokens
🌿 GitHub OAuth tokens
💰 Cryptocurrency wallets
📁 .env files with database credentials
🖧 Persistent cluster backdoors
🔁 OIDC tokens from GitHub Actions
🧠 THE SCARY PART
The LiteLLM malware installed a
Even scarier: The TanStack compromise included a persistent wiper daemon called
The LiteLLM malware installed a
.pth file that executes on EVERY Python startup — even after uninstalling the package. To fully remove it, you had to wipe the entire Python environment.Even scarier: The TanStack compromise included a persistent wiper daemon called
gh-token-monitor. If a compromised GitHub token was revoked, it executed rm -rf ~/ — wiping the user’s entire home directory.
Why Your Security Team Didn’t Catch It
- Valid provenance: The attackers stole OIDC tokens from GitHub Actions runner memory to publish packages with valid npm provenance — they looked completely legitimate
- Steganography: Telnyx payloads hidden inside WAV audio files — no static analysis would flag them
- Triple-channel C2: Exfiltration via domains, Session messenger network, AND GitHub API dead drops. Blocking one channel did nothing
- Trust reversal: They poisoned security scanners first — the very tools used to detect compromises
# Example: LiteLLM malware’s C2 setup
# After installation, malware checked for:
AWS credentials (via IMDS at 169.254.169.254)
Kubernetes service account tokens (/var/run/secrets/kubernetes.io/serviceaccount/token)
SSH keys (~/.ssh/id_rsa, id_dsa, id_ecdsa, id_ed25519)
Docker config (~/.docker/config.json)
npm tokens (~/.npmrc)
Environment files (.env, .env.local, .env.production)
Wallet files (Ethereum, Bitcoin, etc.)
The Current State — April 26 Update
Google’s Threat Intelligence Group (GTIG) released a comprehensive analysis on April 26, 2026. The group was tracked as UNC6780. Key findings:
- TeamPCP open-sourced their malware code on GitHub before it was taken down — copycat attacks are now active
- The campaign is still ongoing. Not “was.” Is.
- They’ve expanded to targeting GitHub Actions caches and OIDC token theft as primary vectors
🔐 WHAT YOU NEED TO DO RIGHT NOW
✅ Check if you used any compromised versions of Trivy, KICS, LiteLLM, Telnyx, TanStack, or related npm/PyPI packages between Feb-May 2026
✅ Rotate ALL credentials — AWS, GitHub, npm, PyPI, Kubernetes tokens, SSH keys
✅ Check for
✅ Review CI/CD pipeline logs for unexpected OIDC token usage
✅ Audit GitHub Actions cache for poisoned entries
✅ Assume breach if you used any compromised tools during the window
✅ Check if you used any compromised versions of Trivy, KICS, LiteLLM, Telnyx, TanStack, or related npm/PyPI packages between Feb-May 2026
✅ Rotate ALL credentials — AWS, GitHub, npm, PyPI, Kubernetes tokens, SSH keys
✅ Check for
gh-token-monitor persistence BEFORE revoking any GitHub tokens✅ Review CI/CD pipeline logs for unexpected OIDC token usage
✅ Audit GitHub Actions cache for poisoned entries
✅ Assume breach if you used any compromised tools during the window
The Bottom Line
TeamPCP didn’t hack your firewall. They hacked the tools you trust to secure your infrastructure. Your vulnerability scanner became a backdoor. Your AI gateway exfiltrated your secrets. Your CI/CD pipeline served malware to your customers.
GitHub got hit. OpenAI got hit. Grafana, Mistral, UiPath, Telnyx, and hundreds of others got hit.
Your supply chain is not safe. Assume nothing. Verify everything.
🦞🔐
Think you’re safe from supply chain attacks?
Full supply chain audit: €3,000. CI/CD security review: included in retainer. Security retainer: €1,500/month.
📩 DM @StackOfTruths on XFree 15-min consultation. No hard sell. Just honest answers about your supply chain exposure.
Leave a Reply