Full Report
On May 11, 2026, TeamPCP launched coordinated software supply chain attacks targeting the npm and PyPI ecosystems. Over roughly six hours, the attacker published dozens of trojanized packages across multiple namespaces, including several high-profile and trusted publishers.The...
Analysis Summary
# Incident Report: TeamPCP Coordinated Supply Chain Attack
## Executive Summary
On May 11, 2026, the threat actor TeamPCP executed a high-impact supply chain attack targeting the npm and PyPI ecosystems. By exploiting trusted publishing workflows (OIDC), the attacker injected trojanized code into dozens of high-profile packages, including `@tanstack/react-router`, resulting in widespread data exfiltration. The incident demonstrated a critical vulnerability in modern CI/CD trust models, as the malicious packages maintained valid provenance metadata and signatures.
## Incident Details
- **Discovery Date:** May 11, 2026
- **Incident Date:** May 11, 2026
- **Affected Organization:** Multiple (Tanstack, Mistral AI, UiPath, OpenSearch Project, etc.)
- **Sector:** Technology / Software Development
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** May 11, 2026, approx. 20:00 UTC
- **Vector:** Supply Chain Compromise / OIDC Identity Abuse
- **Details:** Attackers gained the ability to publish via legitimate GitHub Actions OIDC identities, bypassing the need for traditional stolen npm/PyPI user credentials.
### Lateral Movement
- **Details:** The attacker moved horizontally across different namespaces and ecosystems (npm and PyPI) simultaneously, targeting various high-value publishers to maximize reach.
### Data Exfiltration/Impact
- **Details:** Trojanized packages were downloaded by developers and CI/CD pipelines globally. The primary impact was data exfiltration from environments where the malicious packages were executed.
### Detection & Response
- **How it was discovered:** Rapid identification of anomalous updates across multiple high-traffic namespaces.
- **Response actions taken:** Affected packages were identified and subsequently removed or replaced by respective maintainers and registry operators; notifications were issued to the developer community.
## Attack Methodology
- **Initial Access:** Abuse of trusted publishing (GitHub Actions OIDC identities).
- **Persistence:** Injection of malicious code into legitimate, high-download package updates.
- **Privilege Escalation:** Exploiting the "Trusted Publisher" status to bypass standard security checks.
- **Defense Evasion:** Malicious releases contained valid provenance and package signing metadata, appearing legitimate to security scanners.
- **Credential Access:** Abuse of valid OIDC tokens/identities.
- **Discovery:** Selection of high-profile namespaces (e.g., `@tanstack` with ~12M weekly downloads) for maximum impact.
- **Lateral Movement:** Coordinated multi-ecosystem (npm and PyPI) campaign.
- **Collection:** Automated collection of sensitive environment data upon package execution.
- **Exfiltration:** Transmission of stolen data to attacker-controlled infrastructure.
- **Impact:** Compromise of developer machines and production CI/CD environments.
## Impact Assessment
- **Financial:** Significant potential costs related to incident response, remediation, and potential litigation across hundreds of downstream organizations.
- **Data Breach:** Exfiltration of sensitive environment variables, secrets, and source code from affected environments.
- **Operational:** Disruption of development workflows; emergency rotation of secrets for all affected users.
- **Reputational:** High public impact due to the breach of "Trusted Publishers" and established namespaces like Tanstack and Mistral AI.
## Indicators of Compromise
- **Network indicators:** (Defanged) Connections to unauthorized exfiltration endpoints associated with `TeamPCP`.
- **File indicators:** Trojanized versions of packages such as `@tanstack/react-router`, `@uipath`, and `@mistralai` published on May 11, 2026.
- **Behavioral indicators:** Unexpected outbound network traffic during `npm install` or build steps; presence of unauthorized GitHub Actions workflows.
## Response Actions
- **Containment measures:** Rapid revocation of compromised OIDC permissions and removal of trojanized versions from registries.
- **Eradication steps:** Deletion of malicious releases and publication of clean "fix" versions to force updates.
- **Recovery actions:** Audit of all CI/CD pipelines that interacted with the affected packages during the six-hour window.
## Lessons Learned
- **Key takeaways:** Provenance and signing are not absolute guarantees of safety if the CI/CD pipeline itself or the OIDC identity is compromised.
- **Shortcomings:** The reliance on "Trusted Publishing" created a single point of failure that the attacker successfully exploited across multiple organizations simultaneously.
## Recommendations
- **Zero Trust CI/CD:** Implement stricter monitoring for GitHub Actions and limit the scope of OIDC tokens to specific repositories and branches.
- **Dependency Pinning:** Use lockfiles and consider pinning dependencies to specific hashes (SHAs) rather than versions.
- **Secrets Rotation:** Immediately rotate all environment variables and API keys that may have been exposed in environments where the trojanized packages were run.
- **Runtime Monitoring:** Implement network egress filtering on build servers to prevent data exfiltration to unknown domains.