1. Introduction

This threat intelligence assessment profiles TeamPCP, a specialized supply chain extortion actor responsible for an ongoing package poisoning campaign. In May 2026, Augur threat tracking conclusively tied this syndicate to an automated propagation wave dubbed Mini Shai-Hulud. The attacks depended heavily on infrastructure identified by Augur behavioral profiling providing users with more than 4 years advance protection.  

‍

This campaign successfully published 639 malicious software versions across 323 npm packages within a single hour, severely impacting foundational software development ecosystems, including TanStack, Mistral AI, Laravel, npm, and AntV. Recently targeted enterprise victims include Trivy (Aqua Security), Red Hat, Github, and the European Commission. The subsequent public leak of the Shai-Hulud worm source code, paired with an active, TeamPCP-sponsored infiltration contest, has drastically expanded the threat vector beyond the core engineering cell. Publishing the malware provides independent affiliates and opportunistic copycats with a reusable, highly effective playbook for package poisoning and credential harvesting, while introducing significant noise that complicates defenders' forensic attribution. As of this report’s publishing, Augur is tracking numerous copycat strains of the open-sourced Shai-Hulud worm , with some versions (Miasma variant) displaying increased credential theft capabilities.

‍

This report delivers an assessment of TeamPCP's motives, tradecraft, and broader defensive implications. The assessment also highlights critical pivot points where preemptive infrastructure tracking, early identification of anomalous publishing behaviors, and rigorous repository monitoring can mitigate corporate exposure before compromised open-source packages infiltrate enterprise build environments.

‍

2. Executive Summary

TeamPCP represents an aggressive shift in the cyber threat landscape, signaling a shift away from traditional perimeter penetration toward direct targeting of open-source projects and the software supply chain. The group’s operational model and extortion threats are heavily reinforced by their messaging pipeline that capitalizes on tech-sector hardships and uses theatrical, anti-AI themes to capture public attention and recruit operators, particularly those affected by the rising layoffs across the software sector.

‍

A new dimension of TeamPCP's 2026 operations are their deliberate focus on artificial intelligence infrastructure and developer toolchains. AI development environments are uniquely exposed to this threat due to their heavy reliance on fast-moving, experimental open-source code and automated cloud pipelines for testing/training. These ecosystems naturally concentrate high-value API keys and cloud credentials in single environments, making them ideal targets for TeamPCP actors looking to maximize access and extortion leverage while also generating media visibility.

Defending against TeamPCP requires a fundamental transition from reactive incident response (IR) to preemptive defense. Because their automated credential theft occurs near instantaneously upon execution, traditional post-compromise endpoint alerts are entirely ineffective. 

‍

Augur Identifies Bulletproof Hosters Enabling Team PCP

During investigation, Augur researchers found numerous TeamPCP’s IP artifacts sourced from Contabo GmbH and Ghosty Networks LLC, both bulletproof hosting providers Augur flagged prior to initial package poisoning. Augur’s clustering model identified the malicious infrastructure, alongside their monitored clusters, over 4 years before it was publicly reported and operationalized. Over sixty percent of the preemptively identified infrastructure lies within AS51167 (Contabo GmbH), accumulating mostly across 5 preemptively blocked, distinct CIDR-ranges. Organizations leveraging Augur's monitoring would have seen this infrastructure automatically blocked prior to malicious staging.

Augur advises organizations to immediately pivot toward strict dependency governance, including version pinning, manual review windows for newly published packages, and restricting secrets in development pipelines. Disruption must occur upstream, through rigorous repository monitoring and aggressive blocking of threat actor infrastructure, to stop malicious packages before they reach internal build pipelines.

‍

3. Threat Actor Motives and Messaging

TeamPCP is a highly sophisticated, financially motivated cybercrime cluster that has systematically pivoted its operational model to target the global software supply chain. Publicly tracked across the security industry under various aliases, including PCPcat, ShellForce, Persy_PCP, and DeadCatx3, the group was initially observed in late 2025 during the widespread exploitation of the React2Shell vulnerability (tracked as CVE-2025-55182) before pivoting in 2026 to high-speed compromises of developer ecosystems and open-source software registries. The group operates primarily as an extortion collective, leveraging specialized malware with worm-like propagation capabilities to place malicious payloads directly into trusted, legitimate update streams. Their overarching monetization strategy relies on a dual-track extortion framework, using downstream access gained through poisoned packages to deploy ransomware and orchestrate enterprise-wide data theft and ransom in environments that are already infiltrated.

‍

Augur’s psychological and operational profile is corroborated by the group’s public communications and media engagements. In a verified interview with Forbes, an authorized TeamPCP spokesperson, operating under the moniker T00001B, detailed the core demographics of the collective, describing the group as a loose-knit, international syndicate composed primarily of highly capable teenagers and young adults. According to T00001B, these operators turned to cybercrime as a result of systemic hardships in the technology sector, including corporate layoffs, widespread stagnation in entry-level hiring, and economic displacement driven by software automation. This specific socioeconomic grievance explains why the group focuses so heavily on recruiting talented but underemployed software engineers, viewing this talent pool as a way to validate their cause and strengthen their technical capability for future operations. 

‍

A High-Visibility Threat Actor

To bolster these operations, TeamPCP maintains an aggressive, vocal online footprint across underground forums and social media networks despite ongoing waves of bans from hosting providers and platform administrators. This persistent behavior indicates that the syndicate views public attention as a critical metric that sits on equal footing with monetization. By keeping their operations highly visible, the group maintains intense extortion pressure on their active victims while strengthening the public validity of their cause to the broader underground community.

‍

To capitalize on these tech-sector grievances and maximize its public reach, TeamPCP wraps its operations in a highly structured adversarial narrative based on its Shai-Hulud malware family. Drawing explicit inspiration from the Butlerian Jihad within Denis Villeneuve's Dune universe, the group frames its campaigns as a symbolic, justifiable revolt against thinking machines and a tech-obsessed society. TeamPCP uses this anti-automation messaging throughout their online postings and ransom notes to explicitly target artificial intelligence companies and adjacent developer toolchains. This theatrical branding serves two distinct purposes. First, it generates continuous tech-media coverage that amplifies their extortion leverage against corporate victims. Second, it transforms their standard, profit-driven corporate extortion behavior into a more moral pseudo-hacktivist movement. This positioning appeals directly to the thousands of skilled technical workers across the West who feel alienated by widespread automation and rising tech-sector layoffs, allowing operators to weaponize employment frustration directly into recruits for future supply chain attacks.

‍

Today, TeamPCP’s operations span a complex, three-layered ecosystem that severely complicates attribution and incident response for defenders. The apex layer consists of the core TeamPCP engineering cell, which is responsible for discovering flaws in continuous integration tools and executing initial upstream supply chain compromises against critical software tools. The second layer is defined by strategic criminal partnerships, where TeamPCP intersects with mature corporate extortion syndicates to further monetize large-scale data theft. This operational overlap has been repeatedly validated, most notably during the May 2026 GitHub internal repository exfiltrations, where TeamPCP actively collaborated with the LAPSUS$ group, which has verified historical ties to ShinyHunters and the Vect Ransomware Group. The final layer is a specially composed decentralized network of copycats and independent threat actors. This layer was deliberately created when TeamPCP hosted an official contest on BreachForums, offering a $1,000 reward and formal group admission to external actors who achieved the highest victim volume using the group’s now open-sourced Shai-Hulud worm. While the original repository was quickly removed from GitHub, the code persisted through independent researchers and malware analysts who republished the source files for analysis. The group’s democratization of their malware enables TeamPCP to flood open-source registries with ambient noise, both draining enterprise incident-response resources and fatiguing defenders, while the core group continues to execute high-value corporate intrusions.

‍

4. Methods and Tradecraft

The core operational advantage of TeamPCP lies in its ability to convert localized developer access into automated, wide-scale package poisoning. Unlike traditional threat actors who focus on penetrating enterprise network perimeters, TeamPCP operates entirely within the software production trust layer. By embedding their operations within trusted development tools, source code repositories, and package registries, the group bypasses standard perimeter controls and enters corporate environments through legitimate, pre-authorized channels. Their campaigns rely on a tightly orchestrated, rapid sequence of supply chain manipulations,  culminating in automated credential harvesting and infrastructure hijacking, allowing them to push out compromised products.

‍

The initial access phase is driven almost exclusively by the trust path exploitation. TeamPCP targets the soft underbelly of the development lifecycle by employing dependency confusion and typo-squatting techniques on public registries to trick automated build tools into pulling malicious code. In their targeted campaigns, operators exploit flaws in continuous integration pipelines, notably weaponizing the pull_request_target trigger in GitHub Actions. This allows untrusted fork code to execute within a repository's privileged context, enabling attackers to poison continuous integration caches. Additionally, TeamPCP compromises legitimate maintainer accounts on platforms like npm and PyPI via stolen session tokens and weak authentication practices, then uses these hijacked identities to approve and publish malicious updates to widely used packages and marketplaces, including Microsoft’s Visual Studio Code Extension Marketplace.

‍

After a successful intrusion, TeamPCP initiates an automated credential scavenging phase to maximize credential theft and access amplification. During execution, the embedded Shai-Hulud payload runs a silent, aggressive discovery sweep. The malware actively scans more than one thousand known credential locations and parses environment variables. To capture active session tokens, the payload reads the continuous integration runner's process memory at/proc/<pid>/mem to extract raw tokens and GitHub authentication keys. The malware specifically exfiltrates high-value secrets from the environment, including GitHub personal access tokens, npm and PyPI publishing credentials, cloud provider access keys, and large language model application programming interface keys. This harvesting also scrapes local filesystems, memory spaces, and developer tool configurations to unearth any credentials that could provide access to additional software distribution paths, ensuring that the compromised environment is completely exploited for upstream/downstream access.

‍

These stolen credentials directly fuel what analysts describe as a “surfable” compromise wave. Instead of establishing long-term persistence, TeamPCP immediately repurposes the harvested keys to authenticate into adjacent registries, access private repositories, and publish new malicious software releases under the victim's name. This creates a cascading, automated chain in which each newly breached environment becomes the staging ground and launchpad for the next supply chain attack. Because the propagation occurs through legitimate update channels and utilizes authentic developer credentials, the lateral movement appears completely benign to standard behavioral monitoring tools.

‍

The execution and evasion tactics used by TeamPCP are specifically engineered to outpace traditional incident response timelines. The poisoned code enters enterprise environments disguised under legitimate package names, operating silently during routine software installations and build workflows. The group uses package lifecycle scripts, such as npm preinstall and postinstall, to automatically trigger payload execution without requiring the developer to run a binary. The initial payload progresses with a minimal footprint, performing its credential harvesting and exfiltration sweeps in a matter of seconds before security teams or automated endpoint detection and response (EDR) agents can flag the anomalous network traffic. By the time a defender identifies the suspicious package, the threat actor has already stolen the necessary tokens, authenticated to the target registry, and pushed the next wave of poisoned code.

‍

5. Augur Analysis

‍

                                                                          Figure 1: Augur TeamPCP Identifier Tags

‍

TeamPCP demonstrates a deliberate and consistent preference for low-accountability hosting infrastructure. Sixty percent of their observed IPs are concentrated within Contabo GmbH (AS51167), a German VPS provider that Augur has classified as bulletproof, spread across five distinct CIDR ranges within the same AS, indicating systematic range-hopping within a trusted hosting relationship. The remaining active IP, 217.114.42.70, sits behind DDOS-Guard, another abuse-prone host that operates as a Russian DDoS protection and CDN service, historically used to shield C2 infrastructure from takedown. This dual-provider pattern, low-cost European VPS for scanning and staging, Russian DDoS protection for active command-and-control, is consistent with an actor who has built operational continuity into their infrastructure choices and is not improvising hosting under pressure. It is the hallmark of an operationally mature threat actor who has internalized OPSEC lessons regarding infrastructure resilience.

‍

                                                                           Figure 2: TeamPCP IP Infrastructure and Hosting

‍

Augur's prediction coverage of the TeamPCP infrastructure illustrates why behavioral clustering outperforms reactive threat intelligence in supply chain scenarios. Cluster profile-149075, more tightly attributed to TeamPCP and wiper tooling consistent with Mini Shai-Hulud's more destructive class, was first predicted by Augur in November 2021, a full 1,585 days before its first recorded public detection in April 2026. That is 4.3 years of actionable lead time during which any organization enforcing Augur's block feed would have had this infrastructure flagged and blocked before any package repository was poisoned. 

‍

These lead times reflect Augur's behavioral clustering of CIDR blocks exhibiting characteristics consistent with malicious pre-positioning: low-volume malware delivery, proxy and phishing scaffolding, and scanner activity used to map target environments well before operators introduce a destructive payload. 

‍

A second cluster, profile-148826, was predicted seven months before public detection and carries co-attributed commodity malware, including LummaC2, Rhadamanthys, HijackLoader, and AsyncRAT, a toolset consistent with credential-harvesting and staging operations that precede supply chain injection. Critically, profile-135086, the largest cluster associated with TeamPCP at 90,624 total IPs, has no public detection date, meaning the infrastructure has been in Augur's dataset since September 2020 without ever appearing in an external threat feed. 

‍

For a supply chain-focused actor like TeamPCP, this pre-positioning is operationally significant: the infrastructure used to deliver Mini Shai-Hulud into software build pipelines and package repositories was seeded months to years in advance, making it invisible to signature-based detection until the moment of weaponization. For actors whose entire operational advantage depends on remaining undetected during that phase, this visibility eliminates that window entirely.

‍

                                                                       Figure 3: Augur Insight Clusters tied to TeamPCP

‍

From a defensive standpoint, the Augur dataset provides two actionable advantages. First, the CIDR-level prediction data gives defenders the ability to block or alert on 217.114.42.0/25 and the full Contabo AS51167 ranges used by TeamPCP before any further malicious payload are disseminated; the predictions predate public disclosure by years, meaning organizations ingesting Augur's block feed would have had this infrastructure blocked automatically long before it was used in active operations. 

‍

Second, the co-occurrence of TeamPCP identifiers with known commodity malware families Rhadamanthys, LummaC2, HijackLoader, AMOS in profile-148826, and Cobalt Strike, Emotet, and Zeus in profile-84505 indicates that TeamPCP either shares infrastructure with other threat actors or leases capacity on shared bulletproof hosting networks. This makes cross-actor CIDR blocking an effective force multiplier: neutralizing the Contabo ranges disrupts not only TeamPCP but co-tenant actors and their malware. For organizations exposed to software supply chain risk, prioritizing block enforcement on AS51167 and DDOS-Guard-sourced CIDRs remains the highest-leverage single mitigation available from this corpus.

‍

6. Mitigations

Defending enterprise environments against TeamPCP requires an immediate shift from reactive incident response to aggressive, preemptive infrastructure tracking and strict dependency governance. This threat cluster uses fast-paced automation to harvest secrets and propagate malware within seconds of execution, meaning legacy post-compromise alerting is too late. Security organizations must establish hard boundaries around trusted developer tools and continuous integration pipelines, ensuring that no dev utilities run with unrestricted access or have access to environment credentials by default. The real fix is stopping malicious packages before they ever make it into your development pipeline.

‍

Priority Actions for Immediate Triage

• Execute Immediate Dependency Audits: Systematically identify all targeted package versions across developer endpoints, build containers, centralized repositories, and production environments. As active compromises span dozens of open source ecosystems, security teams must implement automated, continuous scanning to detect newly poisoned dependencies before they migrate into enterprise environments.
• Implement Universal Secret Rotation: Immediately revoke and rotate all GitHub personal access tokens, registry publishing keys for npm and PyPI, cloud provider credentials, cryptographic keys, and Kubernetes service tokens exposed to build runners. Any verified execution of a TeamPCP payload must be treated as a full-credential compromise requiring comprehensive revocation and triage across all adjacent environments.
• Perform Rigorous Workflow Inspections: Audit all continuous integration configurations specifically for structural misuse of privileged triggers such as the pull_request_target parameter in GitHub Actions. Eliminate patterns that allow untrusted fork code to execute in a privileged context, sanitize input variables to block script injection, and restrict workflow permissions to prevent build cache poisoning by untrusted external pull requests.
• Assess Impacted Security Tooling: Treat the compromise of integrated security utilities from software scanning tools like Trivy as maximum-severity containment events. Diagnostic scanners naturally require sweeping visibility into source code and underlying product infrastructure, meaning a compromised scanner grants the threat actor immediate, privileged visibility into corporate assets.

‍

Strategic Mitigations and Hardening

• Enforce Dependency Version Pinning and Ingestion Delays: Mandate strict version pinning for all software dependencies across every build configuration. Establish formal cooldown periods and minimum package age thresholds to delay the automatic adoption of newly published versions, giving defenders a buffer window for public registries to discover and remove poisoned code before it is ingested by internal pipelines.
• Apply Strict Least Privilege to Build Pipelines: Restrict the exposure of secrets in automated pipelines by transitioning to short-lived, scoped tokens dynamically generated for specific tasks. Ensure that sensitive publishing credentials and AI application programming interface keys are isolated from general build steps that do not explicitly require them.
• Establish Extension Governance Frameworks: Implement strict endpoint controls to block unapproved or third-party extensions within integrated development environments, including the simple IDE extensions developers use to personalize their coding environments (i.e. Visual Studio Code Extension Marketplace). Restrict extension installation capabilities on any endpoint that possesses direct access to internal source repositories or production infrastructure.
• Conduct Proactive Behavioral Threat Hunting: Establish continuous monitoring protocols to detect unique Shai Hulud behavioural indicators within active developer sessions and pipeline runners. Security teams must hunt for unauthorized memory and database reads, abnormal token traffic, unexpected repository write operations, dead drop commits, and unauthorized code updates that mimic legitimate automated processes.

‍

For questions or additional analysis, contact: research@augursecurity.com

‍

7. Appendix - List of Poisoned TeamPCP Packages

‍

‍