CISA Flags TeamPCP Campaign as Leaked Code Fuels Credential Theft in npm Ecosystem
AI-generated from multiple sources. Verify before acting on this reporting.
WASHINGTON (June 8, 2026) — The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added vulnerabilities linked to the TeamPCP threat campaign to its Known Exploited Vulnerabilities catalog on Monday, following a surge in credential-stealing attacks targeting the global npm ecosystem.
The advisory highlights compromises involving Nx Console and GitHub repositories, marking a significant escalation in the group's operations. CISA's action comes as leaked source code from the Mini Shai-Hulud framework has been weaponized by attackers to infiltrate Red Hat npm packages. The leaked framework code enabled the creation of a worm capable of stealing credentials from affected systems.
Security firms Wiz, Microsoft Threat Intelligence, and StepSecurity have tracked the campaign's expansion. The attackers, identified as TeamPCP, have leveraged the exposed framework to distribute malicious payloads through compromised software packages. The attacks target organizations relying on open-source dependencies, with Red Hat packages serving as a primary vector for the worm's propagation.
The incident underscores the risks associated with leaked security tools. The Mini Shai-Hulud framework, originally developed for defensive purposes, was compromised and subsequently used to automate credential theft. This shift from defensive utility to offensive weaponization has accelerated the pace of the campaign, allowing attackers to scale their operations across the npm registry.
CISA's advisory urges organizations to patch affected systems immediately and monitor for signs of compromise. The agency emphasized the critical nature of the vulnerabilities, noting that exploitation is actively occurring. Red Hat has issued guidance for users to audit their npm dependencies and remove any unauthorized packages.
The scope of the campaign remains under investigation. While the specific motivations behind TeamPCP's actions are unclear, the group's ability to exploit leaked code suggests a coordinated effort to maximize impact. Security researchers are analyzing the worm's behavior to understand its full capabilities and potential reach.
Questions remain regarding the origin of the leaked framework code and whether other tools have been similarly compromised. The incident has prompted renewed calls for stricter controls over the distribution of security software and source code. As the investigation continues, organizations are advised to maintain heightened vigilance against supply chain attacks.
The situation is developing, with new indicators of compromise expected to emerge as analysts dissect the malware. CISA and industry partners are working to identify additional vulnerabilities that may be exploited in future waves of the campaign.