TeamPCP Infiltrates GitHub And Microsoft In Supply Attack

A sophisticated supply chain attack orchestrated by the threat group TeamPCP has successfully infiltrated GitHub and Microsoft infrastructure, with malicious activity detected through May 24, 2026. The campaign leverages compromised developer accounts and poisoned packages to distribute malware across the software development ecosystem. Organizations relying on open-source dependencies face immediate risk of compromise through trojanized libraries and compromised CI/CD pipelines.

Introduction

The software supply chain has once again proven to be a lucrative attack vector for sophisticated threat actors. TeamPCP, a previously low-profile threat group, has emerged with a bold campaign targeting the very foundation of modern software development: GitHub repositories and Microsoft’s development infrastructure. This attack represents a significant escalation in supply chain threats, combining social engineering, credential compromise, and malicious code injection to achieve broad distribution across the software ecosystem.

Unlike opportunistic attacks, this campaign demonstrates careful planning, persistence, and intimate knowledge of developer workflows. The attackers maintained access for an extended period, with activity continuing through May 24, 2026, suggesting a well-resourced operation with strategic objectives beyond immediate financial gain.

Background & Context

Supply chain attacks have evolved from theoretical concerns to one of the most dangerous threat vectors in cybersecurity. The SolarWinds compromise, Codecov breach, and numerous npm package poisoning incidents have demonstrated how attackers can leverage trust relationships in the software ecosystem to achieve massive scale.

TeamPCP appears to have studied these previous campaigns extensively. The group’s name suggests either a deliberate attempt at misdirection or connections to underground communities. Their operational security and technical sophistication indicate this is not their first major operation, though their specific attribution remains uncertain.

GitHub hosts over 330 million repositories with more than 100 million developers, making it an ideal target for supply chain compromise. Microsoft’s Azure DevOps and development tools integration creates additional lateral movement opportunities once initial access is established. The combination of these two environments provides attackers with unprecedented reach into enterprise and open-source projects simultaneously.

The campaign’s timeline extending through May 2026 indicates either exceptional operational security that delayed detection or a calculated strategy of low-and-slow compromise to maximize persistence before discovery.

Technical Breakdown

The TeamPCP campaign operates through multiple attack vectors, demonstrating adaptability and technical depth:

Initial Access Vector:
The primary infection method involves credential harvesting through convincing phishing campaigns targeting developers. Attackers created fake security advisory emails purportedly from GitHub Security and Microsoft Security Response Center, directing victims to credential harvesting pages. These pages utilized legitimate-looking domains with typosquatting techniques:

githubsecurity-verify[.]com
ms-security-response[.]net
dev-azure-verification[.]com

Repository Compromise:
Once credentials were obtained, attackers identified repositories with high dependency counts and active maintenance. They then:

• Forked legitimate repositories to attacker-controlled accounts
• Injected malicious code into dependency files and build scripts
• Submitted pull requests with seemingly benign feature additions
• Social engineered repository maintainers to merge malicious PRs

Malicious Package Distribution:
The attackers published trojanized versions of popular packages across multiple ecosystems:

# Example compromised packages identified:
npm: auth-validator-pro, secure-crypto-helper, json-parse-enhanced
PyPI: requests-security-ext, django-auth-helper, flask-secure-session
NuGet: Microsoft.Extensions.Security.Enhanced, Azure.Identity.Helper

Payload Mechanisms:
The malicious code employed several obfuscation techniques:

// Obfuscated backdoor in npm package
const _0x4a2b=['aHR0cHM6Ly9jMi50ZWFtcGNwW10=','base64'];
(function(_0x1d8f23,_0x4a2b38){
  const _0x5c3d89=function(_0x2d8f23){
    while(--_0x2d8f23){_0x1d8f23['push'](_0x1d8f23['shift']());}};
  _0x5c3d89(++_0x4a2b38);
}(_0x4a2b,0x1a3));

The payload establishes persistence through:

• Modified build scripts in CI/CD pipelines
• Compromised GitHub Actions workflows
• Trojanized developer tooling and extensions
• Backdoored dependency resolution configurations

Command and Control:
TeamPCP utilized a sophisticated C2 infrastructure with rotating domains and encrypted communications channels. Traffic was disguised as legitimate API calls to development services, blending with normal developer activity.

Impact & Risk Assessment

The impact of this campaign extends far beyond the initially compromised accounts:

Immediate Risks:

• Credential Exposure: Thousands of developer accounts potentially compromised
• Code Integrity: Unknown number of repositories containing malicious code
• Downstream Contamination: Applications built with compromised dependencies inherit the malicious payload
• Enterprise Exposure: Organizations using affected packages face data exfiltration and lateral movement risks

Severity Assessment:
This attack warrants a CRITICAL severity rating due to:

• Wide distribution through trusted channels
• Extended dwell time allowing deep embedding
• Difficulty in complete remediation
• Potential for long-term persistence in deployed applications

Affected Industries:
All sectors utilizing modern software development practices face exposure, with particular concern for:

• Financial services with rapid deployment cycles
• Healthcare organizations using affected frameworks
• Government agencies relying on open-source components
• Technology companies with complex dependency chains

Scale Estimation:
Based on package download statistics and repository fork counts, conservative estimates suggest:

• 10,000+ directly affected repositories
• 500,000+ downstream dependent projects
• Millions of deployed applications potentially compromised

Vendor Response

GitHub Response:
GitHub Security has issued emergency advisories and taken aggressive action:

• Suspended 2,847 accounts associated with the campaign
• Implemented enhanced authentication requirements for package publishers
• Deployed automated scanning for known malicious patterns
• Provided free access to GitHub Advanced Security for affected projects

Statement from GitHub: “We are working around the clock to identify and remove malicious content. Repository owners should immediately review recent pull requests and dependency changes.”

Microsoft Response:
Microsoft Security Response Center (MSRC) has coordinated across Azure DevOps and GitHub teams:

• Mandatory password resets for flagged accounts
• Enhanced monitoring of NuGet package submissions
• Threat intelligence sharing with ecosystem partners
• Investigation assistance for enterprise customers

Package Registry Actions:
npm, PyPI, and NuGet have all implemented emergency measures:

• Removal of confirmed malicious packages
• Temporary holds on newly published packages from unverified accounts
• Enhanced verification for high-impact package maintainers

Mitigations & Workarounds

Immediate Actions Required:

• Credential Rotation:

# Rotate all GitHub tokens immediately
gh auth refresh -h github.com
gh auth status

# Revoke and regenerate SSH keys
ssh-keygen -t ed25519 -C "your_email@example.com"
gh ssh-key add ~/.ssh/id_ed25519.pub

• Dependency Audit:

# For npm projects
npm audit --audit-level=critical
npm ls --depth=0

# For Python projects
pip-audit
safety check

# For .NET projects
dotnet list package --vulnerable

• Repository Integrity Check:

# Review recent commits
git log --all --since="2025-01-01" --author-date-order

# Check for unauthorized changes
git diff HEAD@{30.days.ago} HEAD -- package.json package-lock.json

• CI/CD Pipeline Review:

Examine GitHub Actions, Azure Pipelines, and other automation for:

• Unauthorized workflow modifications
• Suspicious environment variable access
• Unexpected network connections
• Modified build scripts

Detection & Monitoring

Indicators of Compromise:

Network indicators:

c2.teampcp[.]net
dev-telemetry-collector[.]com
package-cdn-cache[.]org
IP ranges: 185.220.101.0/24, 194.180.48.0/24

File System Indicators:

# Search for suspicious installation scripts
find . -name "*.postinstall.js" -o -name "setup.py" | \
  xargs grep -l "eval\|exec\|base64"


# Check for hidden backdoors
find ~/.npm ~/.pyenv ~/.nuget -type f -name ".*" -mtime -90

Behavioral Indicators:

• Unusual outbound connections from build processes
• Unexpected package installations during build
• Modified dependency lock files without corresponding package.json changes
• GitHub Actions accessing secrets outside normal workflow patterns

SIEM Detection Rules:

# Example Sigma rule for TeamPCP C2 traffic
title: TeamPCP C2 Communication
status: experimental
logsource:
  category: proxy
detection:
  selection:
    c-dns:
      - '*.teampcp.net'
      - 'dev-telemetry-collector.com'
      - 'package-cdn-cache.org'
  condition: selection

Best Practices

Secure Development Hygiene:

• Enable Multi-Factor Authentication (MFA):

– Mandatory hardware security keys for maintainers
– Time-based one-time passwords (TOTP) minimum for all contributors

• Implement Code Review Processes:

– Require two-person approval for dependency changes
– Automated scanning before merge
– Security-focused review for external contributions

• Dependency Management:

– Use lock files and verify integrity hashes
– Implement private package mirrors with security scanning
– Regular dependency audits and updates

• Supply Chain Security Tools:

# Implement Sigstore signing
cosign sign-blob --key cosign.key artifact.tar.gz

# Use SLSA provenance
slsa-verifier verify-artifact artifact.tar.gz \
  --provenance-path artifact.tar.gz.intoto.jsonl \
  --source-uri github.com/org/repo

• Network Segmentation:

– Isolate build environments from production
– Restrict outbound connections from CI/CD systems
– Monitor and alert on unusual build-time network activity

• Secrets Management:

– Rotate credentials regularly and after any suspected compromise
– Use dedicated secrets management solutions
– Never commit credentials to repositories

Key Takeaways

The TeamPCP campaign demonstrates several critical lessons for the security community:

• Trust is not transitive: Even code from trusted sources requires verification when dependencies are involved
• Developer accounts are high-value targets: Attackers understand that compromising one maintainer can affect millions of users
• Detection lag is dangerous: Extended dwell time from initial compromise to detection allows deep embedding
• Ecosystem coordination is essential: Effective response requires collaboration between platforms, package registries, and consumers
• Security tooling must evolve: Traditional security controls are insufficient for modern supply chain threats

Organizations must treat their software supply chain with the same security rigor as their network perimeter. The days of implicitly trusting open-source dependencies and development tools have ended. Every component in the software supply chain represents a potential attack vector that requires continuous monitoring and validation.

The TeamPCP campaign will not be the last sophisticated supply chain attack. As defenders implement stronger controls, attackers will continue to innovate. Vigilance, defense in depth, and community collaboration remain our best defenses against these evolving threats.

References

• GitHub Security Advisory: TeamPCP Campaign Analysis (2026)
• Microsoft Security Response Center: Supply Chain Compromise Guidance
• CISA Alert: Software Supply Chain Attacks Targeting Development Infrastructure
• NIST Secure Software Development Framework (SSDF) v1.1
• OpenSSF: Securing Software Repositories Best Practices
• SLSA Framework: Supply-chain Levels for Software Artifacts
• Sigstore: Software Signing and Transparency Service
• MITRE ATT&CK: T1195.001 – Supply Chain Compromise: Compromise Software Dependencies

Stay updated at https://cydhaal.com — Your Daily Dose of Cyber Intelligence.
📧 Subscribe to our newsletter at https://cydhaal.com/newsletter/