Supply chain Why supply chain attacks work and what detection can actually do about it June 2, 2026 Share By Aaron Beardslee (Adobe Stock) COMMENTARY: Attackers are rational actors who almost always take the path of least resistance. So while organizations pour resources into hardening their perimeters, patching their own code, and locking down their endpoints, a threat group called TeamPCP has quietly walked through a door that most security teams did not even know existed. Since late 2025, TeamPCP has run at least 20 waves of supply chain attacks across GitHub, PyPI, npm, and Docker Hub, poisoning more than 500 separate open-source packages and compromising hundreds of organizations. [ SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here . ] The group’s most recent and highest-profile victim was GitHub itself, breached after an employee installed a poisoned VS Code extension called Nx Console from the official marketplace. That single installation compromised the developer's device and gave TeamPCP access to roughly 3,800 internal GitHub repositories. The group then partnered with LAPSUS$ to sell the stolen source code on BreachForums. It’s important to understand the GitHub breach correctly because the delivery mechanism was not their automated worm. It was trust. A developer installed a tool they had every reason to believe was safe. TeamPCP runs parallel tracks. One of those tracks is Mini Shai-Hulud, a self-replicating worm that steals CI/CD credentials and uses them to poison more packages without a human operator in the loop. The worm and the poisoned extension are different instruments in the same toolkit, and that distinction matters when building defenses against either. The soft target problem There’s a strategic logic here worth examining. Hardened enterprise environments, mature SOC programs, EDR tooling, and layered defenses have made direct intrusion increasingly expensive for attackers. So they moved upstream. The developers who build the software the organization depends on are often smaller shops, open source maintainers working alone, or teams without dedicated security resources. Softer targets in every sense of the word. It’s not a new concept in physical security. We do not break into a vault if we can steal the key from the locksmith. However, it’s never been done at the scale, automation, and range of delivery options TeamPCP has developed. Poisoned packages carry valid provenance attestations and appear to originate from legitimate CI/CD pipelines. Poisoned extensions hide behind verified publisher badges and install counts that signal safety. Traditional integrity checks offer little protection against either. Today, most security programs are built around what attackers are known to do. Detection engineers write rules for techniques that show up repeatedly: endpoint command execution, process injection, lateral movement, credential access, data exfiltration. These are persistent and reliable detection targets precisely because attackers keep using them. But it carries a blind spot. When a developer installs a poisoned package or extension as part of their normal workflow, nothing looks like an attack from the endpoint's perspective. The build runs. The pipeline executes. Keys and tokens flow out through an exfiltration channel that looks like routine CI/CD traffic. The credentials are gone before most detections trigger. It’s the "I didn't even think that was possible" category of attack, and it’s where novel threats consistently outpace detection coverage. Our broader security posture, as organizations and arguably as a country, optimizes for threats we understand. Budget flows toward known attack surfaces. Leadership asks about ransomware and phishing, not whether a Kubernetes secret was vacuumed out of a compromised npm package three weeks ago. It’s this short-sighted framing that ignores how far upstream an attacker can position themselves before we see their fingerprints. The honest argument for endpoint detection Now, to argue against the doom framing: solid endpoint monitoring still matters here, just not in the way most people expect. TeamPCP's toolkit has been extraordinarily effective at getting credentials into attacker hands and initial access brokers. Once those credentials are sold and used, endpoint and identity telemetry become our last line of insight. We may not detect the novel supply chain technique that staged the compromise. But if our endpoint and SIEM coverages are mature, we will see the anomalous authentication, the unusual API call patterns, the service account behaving like a human. We will see what those stolen credentials are being used for, even if we missed how they were taken. It’s the core value proposition of persistent, technique-focused detection. It does not stop every novel initial access vector. It does not know what it does not know. But it narrows the window of undetected activity after the breach, and in a world where credential theft has been automated and commoditized, that post-compromise visibility becomes the most actionable detection we have. Aaron Beardslee, manager of threat research, Securonix SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial. Aaron Beardslee Related Supply chain CISA adds Daemon Tools, TanStack, and Nx Console compromised versions to KEV catalog SC Staff May 29, 2026 The vulnerabilities include compromised versions of Daemon Tools Lite (CVE-2026-8398), TanStack npm packages (CVE-2026-45321), and the Nx Console extension (CVE-2026-48027) resulting from recent supply chain attacks. Supply chain New supply chain attack targets Laravel PHP packages with credential stealer SC Staff May 26, 2026 The attack compromises the release process of Laravel-Lang, affecting packages like laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions. Supply chain Socket raises $60 million for its open-source security platform SC Staff May 21, 2026 The investment, led by Thrive Capital with participation from Andreessen Horowitz and Capital One Ventures, brings Socket's total funding to $125 million. Related Events Cybercast From code to cloud: Stopping attacks in the software supply chain On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe You can skip this ad in 5 seconds