The FBI has released a PSA about TeamPCP, a data extortion group blamed for what's been called the longest running streak of software supply-chain hacks ever. TeamPCP is responsible for a godawful number of popular code packages getting backdoored over the past six months. In the process they've compromised even more repos in a wormlike fashion, including a number of security tools like Trivy/Aqua Security, CheckMarx, and LiteLLM. TeamPCP also recently compromised GitHub, infecting at least 3,800 repositories with credential-stealing malware.

ic3.gov/CSA/2026/260702.pdf (PDF)

#teampcp

Jul 2, 2026, 16:22 UTCen