Regions Targeted: US, Europe, Global
Related Threat Actors: TeamPCP
Related Families: Mini Shai-Hulud
Days after the Mini Shai-Hulud supply chain attacks impacted npm and PyPI packages associated with multiple projects, including those connected to Mistral AI, a TeamPCP-linked forum account claimed to possess and sell alleged internal Mistral AI repositories. At the time of writing, no public evidence independently verifies the authenticity of the claimed repositories or confirms compromise of Mistral AI internal systems.
The activity highlights growing concerns surrounding attacks against AI-focused development environments and the increasing overlap between software supply chain compromise, credential theft, and potential monetization of developer infrastructure access.
Key Takeaways
Recent Activity Overview
TeamPCP activity observed throughout March and April 2026 reflects a sustained software supply chain campaign designed to exploit trust relationships within modern developer ecosystems. Rather than relying on traditional malware delivery methods or direct endpoint compromise, the actor repeatedly targets CI/CD pipelines, package publication systems, and trusted software distribution channels.
The campaign consistently abused infrastructure already trusted by developers and automated build environments. Poisoned Docker images, malicious GitHub Actions workflows, compromised VS Code extensions, and trojanized PyPI packages were all delivered through legitimate release mechanisms and official distribution infrastructure.
The Checkmarx KICS incident represented one of the campaign’s most operationally sophisticated phases. The actor simultaneously compromised multiple distribution channels associated with the project, allowing the malware to reach developers and CI pipelines through Docker Hub, GitHub Actions, and VS Code/OpenVSX extensions at the same time. The payloads harvested GitHub PATs, npm tokens, AWS, Azure, and GCP credentials, SSH material, AI tooling configuration files, Kubernetes secrets, shell histories, and infrastructure-as-code data. Within approximately 24 hours of the KICS compromise, stolen npm credentials were reportedly used to publish a malicious version of the Bitwarden CLI package, illustrating how harvested credentials were operationalized rapidly after collection.
The elementary-data compromise further demonstrated TeamPCP’s focus on exploiting structural weaknesses within CI/CD workflows. In that incident, an unsanitized GitHub Actions workflow interpolated attacker-controlled pull request comments directly into a shell execution block, allowing arbitrary command execution on the runner. The attacker then abused the repository’s own release pipeline to generate and publish malicious packages signed by the project’s legitimate CI infrastructure. Unlike many traditional software supply chain attacks that rely primarily on publisher-account theft, the elementary-data incident showed how insecure workflow logic alone can enable trusted package distribution without first compromising maintainer credentials.
Alleged Mistral AI Repository Sale
Shortly after the Mini Shai-Hulud supply chain activity targeting npm and PyPI ecosystems, a TeamPCP-linked forum account claimed to possess and sell alleged internal repositories associated with Mistral AI. The actor claimed the archive contained roughly 5GB of repositories connected to training systems, fine-tuning projects, benchmarking tools, dashboards, inference infrastructure, and enterprise AI development efforts.
At the time of writing, however, no public evidence independently verifies the authenticity of the alleged repositories or confirms compromise of Mistral AI internal systems. Mistral AI confirmed impact from the broader Mini Shai-Hulud supply chain campaign affecting its SDK packages, though the company stated it had no indication that internal infrastructure was compromised at the time of reporting. The TeamPCP forum listing did not include downloadable samples, commit history validation, cryptographic proof, or other technical evidence sufficient to authenticate the claims.
The claims are nonetheless operationally notable because they surfaced shortly after TeamPCP-linked supply chain operations targeting developer ecosystems associated with AI infrastructure and cloud-connected CI/CD environments. Earlier campaign waves already demonstrated a strong focus on harvesting developer credentials, AI tooling configurations, cloud secrets, and infrastructure access from trusted software pipelines. If the claims are eventually substantiated, the incident would represent a potential expansion from credential-focused supply chain compromise into attempted monetization of proprietary development assets and enterprise AI infrastructure.
Supply Chain Implications
The TeamPCP campaign illustrates how modern software supply chain attacks increasingly focus on abusing trust relationships inside development infrastructure rather than solely distributing malware to end-user systems. Across multiple incidents, the actor relied on legitimate CI/CD pipelines, trusted package registries, signed release mechanisms, and official distribution channels to deliver payloads and harvest credentials. This operational model allows attackers to leverage the software ecosystem’s own trust assumptions against developers and enterprise environments.
The elementary-data compromise particularly highlighted the limitations of relying solely on package signing and trusted publication pipelines as indicators of safety. The malicious packages passed standard verification checks because they were generated and signed through the project’s legitimate release infrastructure.
The campaign also demonstrated how credential theft within CI/CD environments can create cascading downstream risk. Harvested GitHub tokens, npm credentials, cloud secrets, SSH material, and Kubernetes access can enable additional package hijacking, infrastructure compromise, lateral movement, and potential monetization opportunities beyond the original software supply chain attack itself.
For organizations operating AI infrastructure and cloud-native development environments, these incidents reinforce the importance of treating CI/CD security as a core enterprise risk rather than solely a DevOps concern.
Who is TeamPCP?
TeamPCP is a financially motivated threat actor cluster associated with multiple software supply chain compromise campaigns observed throughout 2026. PolySwarm analysts reported on TeamPCP related activity earlier this year in our threat bulletin entitled Infect Once, Spread Everywhere: CanisterWorm and the Automation of Supply Chain Compromise.
The actor has repeatedly targeted GitHub Actions, PyPI, Docker Hub, npm ecosystems, VS Code/OpenVSX infrastructure, and cloud-connected CI/CD pipelines in operations focused primarily on credential theft and downstream operational reuse. Harvested data reportedly includes GitHub PATs, cloud provider credentials, SSH keys, Kubernetes secrets, AI tooling configurations, infrastructure-as-code files, and developer environment data.
Observed TeamPCP campaign activity between March and April 2026 included compromises involving Trivy GitHub Actions, Checkmarx KICS infrastructure, LiteLLM, Telnyx PyPI packages, Xinference, Bitwarden CLI, and elementary-data release pipelines.
The actor also demonstrated several recurring operational markers across campaign waves, including Dune-themed staging repositories, reused Session messenger identifiers, consistent exfiltration header conventions, Python .pth execution techniques, GitHub dead-drop infrastructure, and JavaScript payload delivery through the Bun runtime. While some public reporting has speculated about broader criminal ecosystem affiliations, attribution regarding partnerships or external group relationships remains limited and unconfirmed.
Analyst Commentary
TeamPCP’s campaign demonstrates how modern software supply chain attacks increasingly target the trust relationships embedded within developer ecosystems rather than end-user systems directly. By abusing trusted CI/CD workflows, signed release pipelines, official package registries, and automated publishing infrastructure, the actor was able to distribute malicious artifacts through channels many organizations inherently trust. The activity also highlights the growing operational overlap between software supply chain compromise, credential theft, cloud access abuse, and potential downstream monetization of developer infrastructure access. Even when package compromises are identified quickly, exposed credentials and tokens may continue enabling follow-on operations long after malicious packages are removed from registries.
The alleged Mistral AI repository claims, while currently unverified, further illustrate how attacks targeting AI development ecosystems may evolve beyond package poisoning alone. Modern AI infrastructure depends heavily on cloud-native CI/CD pipelines, automated deployment systems, distributed developer environments, and extensive third-party package dependencies, all of which expand the attack surface available to supply chain-focused threat actors.
The campaign further reinforces that cryptographic signing and trusted publication alone are no longer sufficient indicators of software integrity when the release infrastructure itself may be compromised or abused. Organizations should treat GitHub Actions security, workflow input sanitization, token scoping, package publication controls, and CI/CD network segmentation as critical defensive priorities.
For defenders, these incidents reinforce the importance of monitoring software supply chains beyond traditional signature-based approaches. Threat actors increasingly rotate infrastructure rapidly, abuse legitimate release mechanisms, and weaponize trusted automation workflows in ways that can evade conventional trust assumptions around signed packages and official registries.
IOCs
PolySwarm has multiple samples associated with recent TeamPCP activity.
24680027afadea90c7c713821e214b15cb6c922e67ac01109fb1edb3ee4741d9
2a6a35f06118ff7d61bfd36a5788557b695095e7c9a609b4a01956883f146f50
18f784b3bc9a0bcdcb1a8d7f51bc5f54323fc40cbd874119354ab609bef6e4cb
ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c
2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.