All articles tagged with #teampcp
A cybercrime group known as TeamPCP has intensified software supply-chain attacks by poisoning hundreds of open-source tools, turning legitimate code into a foothold for extortion, with GitHub among the victims—signaling a shift from rare incidents to an ongoing, widespread threat in software security.
GitHub confirmed that a poisoned Visual Studio Code extension installed on an employee’s device led to the exfiltration of roughly 3,800 internal repositories; the malicious extension was removed from the VS Code Marketplace and the endpoint isolated, with incident response begun. Current assessment indicates only GitHub’s internal repositories were affected and there is no evidence that customer data outside the affected repos was compromised. The TeamPCP group has claimed access to about 4,000 repos on a cybercrime forum, though attribution remains unsettled. This follows a history of trojanized VS Code extensions used to steal code and credentials.
This weekly security roundup highlights rapid, multi-vector threats: on-prem Microsoft Exchange is being exploited via CVE-2026-42897 (spoofing/XSS), Cisco’s SD-WAN Controller faces active exploitation from CVE-2026-20182, and a TeamPCP‑driven wave poisons TanStack npm packages as part of a larger supply-chain campaign. The era of fake AI repos delivering stealer malware continues (Open-OSS/privacy-filter on Hugging Face). AI-assisted vulnerability discovery is accelerating with OpenAI’s Daybreak and Microsoft MDASH, alongside other notable findings (ransomware deals, new CVEs, and cross‑platform E2EE deployments). The takeaway: patch early, rotate keys, and assume software supply chains are compromised.
The Trivy vulnerability scanner was compromised in a supply-chain attack by threat actors TeamPCP, who backdoored the Trivy GitHub build process and trojanized releases and related GitHub Actions (notably v0.69.4). This allowed an infostealer to harvest credentials and other secrets from GitHub Actions runners, CI configs, and local developer environments, exfiltrating data to a typosquatted C2 server or via a public repo. Attackers gained write access to publish malicious releases and force-push most tags, making detection difficult; Aqua Security linked the breach to an earlier credential exfiltration and noted token rotation wasn't atomic. The incident is connected to a follow-up CanisterWorm npm campaign by the same actor. Remediation includes rotating all secrets, auditing for compromise, and investigating for persistence across environments.