Starting May 2026, the threat group TeamPCP (aliases: DeadCatx3, etc.) launched a coordinated supply chain attack across multiple ecosystems within one week. The attack chain began with the TanStack incident on May 10-11: the attacker exploited pull_request_target, GitHub Actions cache poisoning, and OIDC token extraction from runner memory to publish 42 malicious @tanstack/* packages. These packages were SLSA Level 3 signed and exfiltrated data via Session, GitHub GraphQL dead drops, and injected persistence mechanisms like .claude/.vscode and gh-token-monitor. On May 18, the Nx Console 18.95.0 extension was compromised after an Nx developer's credentials were stolen in the TanStack attack. The malicious extension executed background tasks fetching code from a standalone commit, deploying daemon payloads to harvest credentials from GitHub, npm, AWS, and more, with persistence via LaunchAgents. On May 19, the @antv npm ecosystem saw 547+ malicious versions and PyPI durabletask packages were poisoned, sharing TTPs like kitty-monitor and firedalazer. GitHub also disclosed unauthorized access to internal repositories, likely via the Nx Console extension on employee machines, with TeamPCP claiming 4,000 private repos compromised. The attacks highlight failures of Sigstore/SLSA provenance, pull_request_target and Actions cache risks, and the need for immediate credential rotation after removing persistence mechanisms.

Key facts

• TeamPCP exploit chain: TanStack CI → Nx Console extension → GitHub internal repos.
• 42 malicious @tanstack/* packages using pull_request_target, cache poisoning, OIDC theft.
• Nx Console 18.95.0 (2.2M+ installs) deployed daemon payload harvesting credentials.
• AntV npm (547+ versions) and PyPI durabletask poisoned; shared C2 and persistence.
• GitHub breach: 4,000 private repos accessed via malicious VS Code extension on employee machines.