TeamPCP is a sophisticated supply chain malware campaign active across three package ecosystems: npm (@antv), PyPI (Microsoft's durabletask SDK), and Visual Studio Marketplace (Nx Console VS Code extension). The campaign used harvested credentials to publish trojanized packages that executed malicious payloads upon import or install, including credential theft, lateral movement inside GitHub, and destructive Linux disk wiping. The campaign exfiltrated approximately 3,800 GitHub internal repositories and impacted downstream victims such as OpenAI, Grafana Labs, and Mistral AI. The malicious durabletask SDK versions 1.4.1 to 1.4.3 were live briefly on PyPI and contained a payload that steals cloud credentials and propagates via AWS SSM and Kubernetes exec. The npm wave involved 639 malicious package versions across 323 packages, some displaying forged Sigstore verification badges. The operator released the Shai-Hulud framework source code publicly, enabling copycat attacks and complicating detection. Microsoft has publicly responded, but CISA has not added the main CVE to its Known Exploited Vulnerabilities catalog. Defenders should audit installs, rotate credentials, and avoid trusting publisher badges alone.

The campaign resulted in significant exfiltration of internal GitHub repositories and compromise of developer and CI/CD credentials. It affected major organizations downstream, including OpenAI, Grafana Labs, and Mistral AI. The trojanized Microsoft durabletask SDK introduced a Linux disk wiper payload, extending the campaign's destructive capabilities. The npm ecosystem compromise harvested a wide range of credentials including cloud provider tokens, SSH keys, and password vaults. The public release of the attack framework source code increases the risk of further attacks by copycat operators. The campaign undermines trust in verified-publisher badges and package provenance mechanisms.

No official patch or advisory from CISA is currently available for the main CVE-2026-45321; patch status is not yet confirmed—check vendor advisories for updates. Microsoft has publicly acknowledged the campaign and removed trojanized package versions from PyPI and Visual Studio Marketplace. Defenders should inventory and remove Nx Console VS Code extension v18.95.0 installed during the May 18, 2026 window, durabletask SDK versions 1.4.1 through 1.4.3 installed on May 19, 2026, and @antv npm packages from the May 19 wave. Rotate all exposed developer, CI/CD, and cloud credentials including GitHub PATs, npm tokens, AWS, GCP, Azure keys, and password vault credentials. Do not rely on Visual Studio Marketplace verified-publisher badges or npm Sigstore verification badges as safety signals. Pin exact package versions and verify lockfile hashes against known-good baselines. Inspect developer endpoints for persistence artifacts in ~/.claude/settings.json and .vscode/tasks.json. Audit Kubernetes and AWS SSM session histories for anomalous activity related to affected packages. Monitor for official advisories or updates from Microsoft, GitHub, and security agencies.