Full Report
The TeamPCP hacker group is threatening to leak source code from the Mistral AI project unless a buyer is found for the data. [...]
Analysis Summary
# Threat Actor: TeamPCP
## Attribution & Identity
**TeamPCP** is a threat actor group operating on underground hacker forums. While specific geographic attribution is not provided in the report, their activity follows the patterns of financially motivated cybercriminal syndicates. They are currently associated with the exploitation of downstream data resulting from the "Mini Shai-Hulud" supply-chain attack.
## Activity Summary
In May 2026, TeamPCP claimed to have exfiltrated nearly 5GB of internal source code and repositories from **Mistral AI**. The group is currently attempting to extort the company or sell the data to a third party for $25,000.
- **The Initial Compromise:** The incident originated from the "Mini Shai-Hulud" software supply-chain attack, which compromised official packages (TanStack and Mistral AI) via stolen CI/CD credentials.
- **Data Theft:** TeamPCP claims to possess 450 repositories used for training, fine-tuning, benchmarking, and model inference.
- **Public Extortion:** The group has set a "Buy It Now" (BIN) price and threatened to leak the data for free within a week if no buyer is found.
## Tactics, Techniques & Procedures
- **Supply Chain Compromise:** Leveraging compromised npm and PyPI registries to gain initial access to developer environments.
- **Credential Theft:** Stealing CI/CD and code codebase management credentials via infected developer devices.
- **Data Exfiltration:** Accessing and downloading internal private repositories.
- **Extortion/Ransom:** Using dedicated hacker forums to advertise stolen data and set deadlines for payment to prevent public disclosure.
- **Flexibility:** Showing a willingness to negotiate "fair offers," indicating a primary goal of quick monetization.
**MITRE ATT&CK IDs:**
* **T1195.002:** Supply Chain Compromise: Compromise Software Dependencies
* **T1552:** Unsecured Credentials
* **T1567:** Exfiltration Over Web Service
* **T1659:** Content Impersonation (via malicious SDK packages)
## Targeting
- **Sectors:** Artificial Intelligence (AI), Software Development, SaaS providers, and companies utilizing popular open-source registries (npm/PyPI).
- **Geography:** Global, with a specific impact noted on French (Mistral AI) and American (OpenAI, UiPath) entities.
- **Victims:**
- Mistral AI (French AI company)
- OpenAI (Employee devices/limited source code)
- Companies using TanStack, UiPath, Guardrails AI, and OpenSearch.
## Tools & Infrastructure
- **Malicious Packages:** Signed malicious npm/PyPI packages associated with the "Mini Shai-Hulud" attack.
- **Malware:** Not explicitly named, but involved in infecting developer devices to harvest credentials.
- **Infected Registries:** `https[:]//www[.]npmjs[.]com/` and `https[:]//pypi[.]org/`
- **Distribution Forums:** Underground hacker forums (monitored by KELA).
## Implications
The targeting of "Open-Weight" and proprietary AI companies suggests a strategic shift by threat actors to steal intellectual property related to Large Language Models (LLMs). The theft of training and inference code poses a risk of IP theft, model inversion, or the discovery of adversarial vulnerabilities in the AI models themselves. Furthermore, the "Mini Shai-Hulud" attack demonstrates the cascading risk of supply-chain compromises in the modern DevOps lifecycle.
## Mitigations
- **CI/CD Security:** Implement Hardware Security Keys (FIDO2) for all developer and CI/CD access to prevent credential theft from being effective.
- **Software Bill of Materials (SBOM):** Regularly audit dependencies in npm and PyPI to identify unauthorized or "typosquatted" updates.
- **Secrets Management:** Use automated tools to scan repositories for hardcoded credentials and rotate any keys exposed in high-risk incidents immediately (as done by OpenAI).
- **Network Segmentation:** Isolate development and testing environments from core research and production data to limit the blast radius of a compromised developer device.
- **Code Signing:** Ensure all internal and external packages are verified against trusted, non-compromised certificates.