TeamPCP has compromised more than 1,000 open-source software packages in less than four months, exposing how fragile trust in software dependencies and CI/CD pipelines has become. The campaign has targeted widely used repositories and developer tools to steal credentials and spread malicious code, with impacts tied to packages and projects like Trivy, npm, PyPI, GitHub Actions, and Mini Shai-Hulud. #TeamPCP #Trivy #MiniShaiHulud #npm #PyPI #GitHubActions
Keypoints
- TeamPCP injected malicious code into more than 1,000 software packages.
- The group abused trust in open-source dependencies and CI/CD pipelines.
- It targeted developer tools and repositories to steal cloud and Kubernetes credentials.
- Victims and exposed packages included Checkmarx, Bitwarden, GitHub, Red Hat, and others.
- TeamPCP also spread Mini Shai-Hulud and encouraged wider criminal reuse.
Read More: https://cyberscoop.com/teampcp-breaks-open-source-software-trust-model/