TeamPCP is becoming one of the most noticed cybercrime groups today when continuously carrying out software supply chain attacks targeting open source ecosystems and AI tools.
This hacker group is mentioned a lot after GitHub confirmed internal data leakage in a recent cyber attack.
According to GitHub, the reason stems from a developer installing a malicious extension for VSCode, a popular source code editor belonging to Microsoft.
The incident caused about 3,800 internal storage to be compromised, although GitHub affirmed that customer data was not affected.
After the incident, TeamPCP is said to have posted on the BreachForums cybercrime forum to sell GitHub's source code and internal data. The group announced its willingness to provide data samples to buyers to prove authenticity.
According to cybersecurity experts, TeamPCP emerged from the end of 2025. Initially, this group exploited incorrect configurations on the cloud platform and vulnerabilities in the Next.js application development tool to spread botnets, steal login information and illegally mine cryptocurrencies.
The worrying point is that TeamPCP focuses on attacking the software supply chain. This is a form of hackers installing malware on legitimate software to spread malware to a large number of users and businesses.
The operating method of this group usually starts by infiltrating the development environment of a popular open source tool. Then, hackers secretly insert malware into the software. When programmers or businesses download and use that tool, malware continues to spread to other systems.
Through this process, TeamPCP can steal login information, authentication codes and access to multiple software development platforms.
Experts say that the hacker group also used a self-spreading computer worm called "Mini Shai-Hulud" to automate large-scale attacks.
According to cybersecurity company Socket, in just a few months, TeamPCP has carried out about 20 supply chain attack campaigns, installing malware on more than 500 different software. Hundreds of businesses are believed to have been affected.
Not only GitHub, many major technology organizations have also become targets of this hacker group. TeamPCP is suspected of being behind attacks related to OpenAI, the Mercor data platform and the LiteLLM AI tool on the Python PyPI software store.
Some other businesses and organizations such as Checkmarx, TanStack, and the AI platform Mistral are also said to have been affected by the campaigns of this hacker group.
Experts believe that TeamPCP's main motive is finance. This group often deploys ransomware, steals data or sells information to third parties.
TeamPCP is also said to have switched to the "ransomware-as-a-service" model, which is providing ransomware services to other cybercriminal groups.
To reduce the risk of being attacked, experts recommend that businesses need to strengthen network security such as controlling access rights, strictly managing authentication codes and frequently changing login tokens.
In addition, organizations should carefully check open source software updates before installation instead of automatic updates immediately.
