darkreading.com via Reddit

TeamPCP defeats SLSA attestations in 400-package npm worm

cybersecurity open source supply-chain threat-actor npm

Key insights

  • TeamPCP became the first threat actor to defeat SLSA Build Level 3 provenance attestations, compromising over 400 npm and PyPI packages in May 2026.
  • The campaign included Mistral AI and Guardrails AI packages, indicating deliberate targeting of AI developer toolchains rather than random opportunism.
  • Google Threat Intelligence Group consolidated attribution across five group aliases, suggesting a sustained and operationally mature threat actor.

Why this matters

SLSA Build Level 3 was widely treated as a near-sufficient supply-chain defense, and its defeat forces organizations that have recently adopted provenance-based trust models to reassess their entire package verification posture. The presence of Mistral AI and Guardrails AI in the compromised package list means AI practitioners cannot assume their inference or safety tooling pipelines were unaffected without a dedicated forensic review. With 400-plus packages hit across two major registries and a financially motivated group demonstrating repeatable SLSA-bypass capability, this establishes a new threat baseline for any team shipping software that depends on open-source AI tooling.

Summary

TeamPCP, tracked by Google Threat Intelligence Group as UNC6780, became the first known threat actor to defeat SLSA Build Level 3 provenance attestations, the strongest supply-chain integrity guarantee the open-source ecosystem had converged on. Their Shai-Hulud worm compromised over 400 npm and PyPI packages in May 2026, including dependencies for TanStack, Mistral AI, OpenSearch, and Guardrails AI. The group is financially motivated, but their selection of AI-adjacent packages looks targeted rather than opportunistic. Essentially: (TeamPCP, UNC6780) broke the attestation model open-source security has been treating as near-sufficient. - SLSA Level 3 defeat means provenance-based defenses are no longer sufficient as standalone controls for package integrity. - Five tracked aliases suggest operational maturity well beyond a one-off campaign. - Attribution is consolidated across all five identities, but whether the campaign is winding down or evolving into persistent toolchain access remains unresolved. If the group shifts from hit-and-run to persistence, developer toolchains face a recurring threat from actors who have already cleared the bar most defenders assumed was prohibitive.

Potential risks and opportunities

Risks

  • Downstream users of compromised Mistral AI and Guardrails AI packages may have shipped tainted AI inference or guardrail code into production before the campaign was detected, with no public remediation timeline announced.
  • Package maintainers across npm and PyPI who adopted SLSA Level 3 as their primary supply-chain control now operate under an unpatched attestation bypass with no disclosed fix, exposing the broader ecosystem until a countermeasure is published.
  • If TeamPCP pivots from direct financial extraction to access brokering, the established foothold in developer toolchains could be sold to state-level actors within the next 30 to 60 days, escalating the campaign's impact well beyond its original financial scope.

Opportunities

  • Supply-chain security vendors with runtime and behavioral verification layers beyond attestation checks (Chainguard, Endor Labs, Sigstore maintainers) can position post-SLSA-bypass controls as a necessary second defense tier to enterprises currently exposed.
  • npm and PyPI registries face direct pressure to layer behavioral analysis alongside provenance checks, creating an opening for security tooling partnerships and funded integration work in the near term.
  • Threat intelligence vendors that have built multi-alias UNC6780 attribution profiles (Google GTIG and peer firms) can monetize that consolidated coverage through enterprise threat feeds targeting security teams responsible for AI developer toolchain integrity.

What we don't know yet

  • Whether TanStack, Mistral AI, OpenSearch, and Guardrails AI have completed forensic audits of affected package versions and issued formal notifications to downstream users.
  • The specific technical mechanism used to defeat SLSA Level 3 attestations has not been publicly disclosed, leaving other maintainers unable to close the same gap independently.
  • Whether TeamPCP's five operational aliases represent distinct cells or a single compartmentalized team, which directly affects the feasibility of any law enforcement or registry-level disruption effort.

Originally reported by darkreading.com

Read the original article →

Original headline: Shai-Hulud Hackers TeamPCP: Lucky or Skilled Operators? Dark Reading Profiles the Group Behind 2026's Most Damaging Supply-Chain Worm Campaign