Researchers identified a broad TeamPCP-linked supply chain campaign involving malicious NPM packages, compromised GitHub Actions, a trojanized VSCode extension, and malicious PyPI packages targeting cloud and CI/CD environments. The campaign includes large-scale credential theft, persistence mechanisms, malware propagation, and destructive functionality.
The initial wave involved dozens of malicious NPM packages and compromised development tooling. When activated, the malicious packages downloaded secondary payloads from GitHub orphaned commits and installed malware using bun. The malware harvested credentials from victim systems and attempted to exfiltrate them by creating public GitHub repositories with the description "niagA oG eW ereH :duluH-iahS" containing RSA-encrypted data. The campaign also installed a Python backdoor (cat.py) at ~/.local/share/kitty/cat.py, which periodically polled GitHub for commands containing firedalazer and executed remote payloads.
A second wave targeted the official Microsoft durabletask PyPI package. Malicious versions published on May 19, 2026 downloaded rope.pyz from check.git-service.com, stored it locally, and executed it. The malware harvested credentials, abused AWS SSM SendCommand functionality to propagate to EC2 instances, and attempted lateral movement inside Kubernetes clusters using kubectl exec. It also implemented a conditional wiping and persistence routine that, under specific geolocation conditions associated with Israel or Iran, had a chance of triggering rm -rf /*. Otherwise, it installed persistence payloads at /usr/bin/pgmonitor.py or ~/.local/bin/pgmonitor.py.