Widespread Supply Chain Attack: TeamPCP Hijacks npm and PyPI Packages via GitHub Actions Misconfiguration

Massive Compromise Hits JavaScript and Python Ecosystems

In a significant escalation of software supply chain attacks, the threat group known as TeamPCP successfully compromised 170 packages across the npm and PyPI registries within a matter of hours on May 11. The attack leveraged automated worm capabilities to spread rapidly, affecting widely used libraries and SDKs.

The incident took down the entire @tanstack ecosystem—42 packages used by React developers—as well as Mistral AI’s SDK suite on both platforms, and the Guardrails AI PyPI package. Other impacted namespaces include @squawk (87 packages), @uipath (66 packages), @tallyui (30 packages), and @beproduct (18 packages). Security vendors detected the breach within hours, though the exact number of affected versions varies: Aikido Security reported 373 package versions across 169 namespaces, while SafeDep counted 404 versions across 170 npm packages and two PyPI packages.

How the Attack Worked: Exploiting GitHub Actions Misconfiguration

The attackers did not steal maintainer credentials directly. Instead, they exploited a common misconfiguration in GitHub Actions—the pull_request_target trigger. This trigger allows third-party workflows to run automatically during pull requests, a feature designed to reduce maintainer approval fatigue. However, it exposes short-lived OpenID Connect (OIDC) tokens that the runner uses to authenticate as the repository owner.

TeamPCP crafted malicious pull requests to projects using this trigger. Once the workflow ran, the attackers scraped the OIDC tokens, gaining the same permissions as the project maintainer. Armed with these tokens, they injected the Mini Shai-Hulud malware into the legitimate release pipeline, publishing poisoned package versions to npm and PyPI.

Worm Capabilities and Rapid Spread

The Mini Shai-Hulud platform is automated and self-propagating. After compromising one package, it scanned the maintainer’s connected repositories and dependencies, spreading to other projects that shared similar triggers or tokens. This worm-like behavior explains how a single attack vector could compromise 170 packages within hours.

The Malware: Mini Shai-Hulud’s Destructive Intent

Once inside a developer’s environment, Mini Shai-Hulud steals credentials—GitHub and npm tokens, cloud API keys, Kubernetes service accounts, and SSH keys. It also collects environment variables and configuration files. But the most alarming feature is a “dead man’s switch” monitor: if a developer revokes a stolen GitHub token, the malware attempts to delete the user’s entire home directory. This retaliatory mechanism makes token rotation risky and increases the pressure on victims to leave the backdoor untouched.

TeamPCP’s Growing Track Record in Supply Chain Attacks

TeamPCP has been active in recent months with similar high-profile compromises. In April, they targeted the command-line version of the Bitwarden password manager. In March, they hit Aqua Security’s Trivy open-source vulnerability scanner—a breach that later led to a data leak on the EU’s Europa.eu web hub. These attacks follow a pattern: exploiting CI/CD pipeline misconfigurations to publish malicious versions of trusted open-source tools.

Targeting US Developers During Working Hours

According to Abhisek Datta, founder of SafeDep—one of the first vendors to detect the attack—TeamPCP deliberately designed the campaign to affect US developers during their peak working hours. “They know that high-profile attacks will be detected quickly by the industry,” Datta noted. “By targeting specific US working hours, they likely want to maximize their return during a short window.” This timing suggests the group is focused on stealing credentials from active developers, hoping to gain access to enterprise networks through developer environments.

Mitigation and Takeaways

The incident underscores the risks of relying on automated CI/CD triggers without proper safeguards. Developers should audit their use of pull_request_target and consider replacing it with safer alternatives like pull_request combined with manual approval. Additionally, token permissions should be scoped to the minimum required, and OIDC token lifespans should be shortened where possible.

Security teams should monitor for unusual package releases from trusted namespaces, especially those involving sudden version bumps or suspicious commit histories. Tools like dependency scanners and runtime detection can help identify compromised packages before they cause widespread harm.