The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Inside TeamPCP’s Supply Chain Offensive

May 18, 2026 1:56:30 PM / by The Hivemind posted in Threat Bulletin, Supply Chain Attack, CI/CD compromise, TeamPCP, Software Supply Chain Security, npm poisoning, GitHub Actions compromise, PyPI malware, AI infrastructure security

0 Comments

Verticals Targeted: Technology, Artificial Intelligence, Cloud, Software Development
Regions Targeted: US, Europe, Global
Related Threat Actors: TeamPCP
Related Families: Mini Shai-Hulud

Executive Summary

A coordinated software supply chain campaign linked to TeamPCP has demonstrated how modern CI/CD ecosystems can be weaponized to distribute malicious code, harvest developer credentials, and potentially enable broader downstream compromise. Recent operations tied to the actor targeted trusted software distribution infrastructure across GitHub Actions, PyPI, Docker Hub, VS Code/OpenVSX, and npm ecosystems through poisoned packages, malicious workflows, and compromised release mechanisms.

Read More

DAEMON Tools Backdoor Enables Targeted Follow-On Malware Operations

May 11, 2026 3:03:25 PM / by The Hivemind posted in Threat Bulletin, Supply Chain Attack, PowerShell malware, Chinese threat actors, DAEMON Tools, QUIC RAT, Trojanized Installer, Software Supply Chain Security, Backdoor Malware

0 Comments

Verticals Targeted: Government, Scientific Research, Manufacturing, Retail, Education
Regions Targeted: Russia, Belarus, Thailand, Brazil, Turkey, Spain, Germany, France, Italy, China
Related Families: QUIC RAT

Executive Summary

A large-scale supply chain compromise involving the widely used DAEMON Tools software platform has exposed organizations and consumers to malicious payload deployment through digitally signed installers distributed from the vendor’s legitimate infrastructure. The attack, active since at least April 8, 2026, involved trojanized versions of DAEMON Tools containing embedded backdoors capable of downloading and executing additional malware. While thousands of infection attempts were observed globally, the operation appears selectively targeted, with advanced payloads deployed against a small subset of victims.

Read More

Airstalk Used in Supply Chain Attacks

Nov 7, 2025 12:58:20 PM / by The Hivemind posted in Threat Bulletin, Supply Chain Attack, PowerShell malware, Airstalk Malware, Browser Exfiltration, AirWatch API, MDM Abuse, Nation-State Actor, .NET Malware, CL-STA-1009

0 Comments

Verticals Targeted: Business Process Outsourcing (BPO)
Regions Targeted: Not Specified
Related Families: None

Executive Summary

Airstalk is a new Windows malware family deployed by a suspected nation-state actor in supply chain attacks, leveraging AirWatch API for covert C2 to exfiltrate browser data. Available in PowerShell and .NET variants, the malware highlights evolving threats to third-party vendors.

Read More

Malicious Lolip0p PyPI Packages Drop Wacatac

Jan 27, 2023 2:58:20 PM / by The Hivemind posted in Threat Bulletin, PyPI, Supply Chain Attack, Lolip0p, Wacatac

0 Comments

Related Families: Wacatac

Executive Summary

Fortinet recently reported on a supply chain attack in which threat actors leveraged a 0-day attack embedded in three PyPI packages to deliver Wacatac.

Read More
All posts

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More