Threat Intelligence

TeamPCP published their own malware on GitHub — with an instruction manual

On May 12, 2026 — one day after the TanStack npm attack — the threat group TeamPCP posted the complete source code for their Shai-Hulud credential-stealing worm to GitHub. Not accidentally. On purpose. With a README that included deployment instructions. The message in the repository read: “Shai-Hulud: Open Sourcing The Carnage. Is it vibe coded? Yes. Does it work? Let results speak. Change keys and C2 as needed. Love – TeamPCP.” ...

May 29, 2026

How a poisoned VS Code extension breached GitHub — and the npm attack that started it all

This week GitHub confirmed that roughly 3,800 of its internal repositories were breached after an employee installed a malicious VS Code extension. The extension was live on the official Visual Studio Marketplace for 18 minutes. That was enough. The breach didn’t come out of nowhere. It’s the latest escalation in a coordinated supply chain campaign by a threat group called TeamPCP — and it connects back to a sophisticated npm attack that happened ten days earlier. Here’s how the whole thing fits together. ...

May 21, 2026