Skip to content
💻 AppSec

TeamPCP 'Mini Shai-Hulud': Inside the Developer Toolchain Attack Campaign Now on CISA KEV

TeamPCP's simultaneous compromise of three developer toolchain components — a code-signed installer, an npm package, and a VS Code extension — follows a refined methodology the group has been developing across multiple 2026 campaigns. The technical approach explains why these attacks reach environments that are otherwise well-defended.

3 min read
#teampcp#supply-chain#developer-security#npm#vs-code#signed-installer#credential-theft#dprk
Article software-development-security

TeamPCP has executed three simultaneous supply-chain compromises targeting developer environments in a campaign confirmed by CISA’s KEV addition on 27 May. Understanding the methodology reveals why conventional endpoint security measures are insufficient against this attack class.

Why Developer Toolchains Are High-Value Targets

A developer workstation at a mid-to-large technology organisation is one of the most credential-rich machines in the environment. Accumulated over months or years of active development:

  • SSH private keys: Access to production servers, code repositories, deployment targets
  • Cloud provider credentials: AWS, Azure, GCP credentials in .aws/credentials, environment variables, or secrets managers
  • Code signing certificates: Certificates used to sign application releases — extremely high value for downstream supply-chain compromise
  • Container registry credentials: Docker Hub, GCR, ECR credentials in .docker/config.json
  • API tokens: GitHub tokens, npm tokens, CI/CD API keys often stored in dotfiles or shell history
  • .env files: Development environment configurations that frequently contain production database credentials and service API keys copied from production for testing

A single successful developer workstation compromise can yield credentials sufficient to access source code, production infrastructure, and signing infrastructure — the complete supply chain for an organisation’s software.

TeamPCP’s Three-Vector Approach

The “Mini Shai-Hulud” campaign targeted three distinct entry points simultaneously:

Signed installer (DAEMON Tools): Exploiting a code signing certificate compromise for a trusted utility provides a pathway that bypasses SmartScreen and Gatekeeper warnings. Developers who see a “Publisher: Disc Soft Ltd” validation prompt proceed without suspicion. The installer runs with elevated privileges requested — appropriate for virtual drive software — which provides a privileged execution context for the payload.

Package manager (npm/TanStack): Typosquatting and dependency confusion attacks via npm target the automatic trust that npm install places in the registry. A developer running npm install on a new project who gets a slightly-wrong package does not receive any warning — the package manager downloads, verifies the checksum (of the malicious package), and runs the post-install hook. The hook executes with the permissions of the developer’s shell, which on a macOS or Linux developer workstation is the developer’s full user context.

IDE extension (VS Code/Nx Console): VS Code extensions run with the permissions of the VS Code process, which typically has the same access as the user’s session. Extensions that access workspace files can read any file the developer can read — including .env files, credential files, and anything open in the editor. The Nx Console backdoor specifically targeted workspace configuration because Nx monorepo configurations typically enumerate cloud infrastructure, API endpoints, and deployment targets.

Detection Indicators

DAEMON Tools (CVE-2026-8398):

  • Process: dtlite.exe or dtshell.exe making outbound HTTP/HTTPS connections to domains not registered to Disc Soft Ltd
  • File: New executable dropped to %AppData%\Local\Temp\ during DAEMON Tools installation

TanStack Query (CVE-2026-45321):

  • npm postinstall script in node_modules/@tanstack/react-query/scripts/ — legitimate package has no postinstall hook
  • Outbound connection from Node.js processes to C2 infrastructure during npm install

Nx Console (CVE-2026-48027):

  • VS Code extension data exfiltration: outbound HTTPS from code process to non-Microsoft domains during workspace open
  • Suspicious file reads: extensionHostProcess.js reading .env files in workspace root shortly after workspace open

Remediation Priority

Developer workstations are not in scope for standard endpoint patching programmes in many organisations — they are managed by development teams with different tooling and cadences. This gap is exactly what supply-chain attackers exploit. Security operations should work with engineering leadership to confirm that developer workstations are enrolled in EDR, that outbound network monitoring is active on developer machines, and that secrets rotation workflows exist for the credential stores listed above.

Share this article

Related Intelligence

💻 AppSec

QLNX Linux RAT Harvests Developer Credentials to Enable Malicious Package Publishing on npm and PyPI

Trend Micro researchers have identified QLNX (Quasar Linux), a Linux-targeting remote access trojan specifically designed to harvest developer credentials — npm tokens, PyPI upload credentials, AWS IAM keys, Docker registry credentials, and GitHub CLI tokens — from developer workstations. The harvested credentials are then used to publish malicious packages to npm and PyPI under the compromised developer's identity, enabling second-stage supply chain attacks against the developer's downstream users.

#supply-chain +8
💻 AppSec

Official SAP npm Packages Compromised to Steal Enterprise Developer Credentials

Threat actors compromised official SAP npm packages to insert credential-harvesting code targeting enterprise developers working on SAP integration projects. The malicious packages exfiltrate environment variables, SSH keys, and cloud credentials from developer workstations. Enterprise teams using SAP npm packages in their CI/CD pipelines should audit package integrity and rotate potentially exposed credentials.

#sap +5
💻 AppSec

CanisterSprawl: Self-Propagating npm Worm Steals Developer Credentials and Re-Infects Package Ecosystems

Researchers discovered CanisterSprawl, a self-propagating npm supply chain worm attributed to TeamPCP that compromised at least 16 packages including pgserve and @automagik/genie. A postinstall hook harvests npm tokens, cloud credentials, SSH keys, and AI tool configs, exfiltrating to a blockchain canister before using stolen tokens to inject the worm into every other package owned by the compromised developer. Organisations should audit postinstall scripts and rotate all credentials from affected development environments.

#supply-chain +6