TeamPCP Supply Chain Campaign: Activity Through 2026-05-24, (Mon, May 25th)

TeamPCP (aka Shai-Hulud) executed a large multi-stage supply-chain campaign in May 2026 that trojanized a verified VS Code extension (Nx Console) leading to exfiltration of ~3,800 GitHub-internal repositories, published malicious versions of Microsoft's durabletask Python SDK (1.4.1–1.4.3) reportedly delivering a Linux disk wiper and credential-stealing worm, and pushed 639 malicious npm package versions across 323 @antv packages; the operation demonstrates credential-to-publish abuse, registry provenance/attestation forgery, and widespread active exploitation across developer and CI/CD environments.