THE article discusses the TeamPCP supply chain campaign, highlighting a series of significant security breaches that occurred from May 18 to May 24, 2026. Key points include: 1) A malicious Nx Console VS Code extension was published on the Visual Studio Marketplace, leading to the exfiltration of 3,800 GitHub repositories and affecting companies like OpenAI and Grafana Labs.
2) An officially Microsoft-published Python SDK, durabletask, was trojanized; the payload collected credentials and included a Linux disk wiper. 3) The npm ecosystem faced a wave of 639 malicious package versions launched across 323 packages. 4) The Shai-Hulud attack framework was leaked on GitHub, prompting concerns over potential copycat attacks. Security recommendations urge the rotation of credentials and caution against trusting publisher verification badges.
CISA has not yet updated its advisories about the new vulnerabilities. Overall, the campaign reflects an advanced and coordinated threat to software supply chains.