























The diagram below shows the attack flow.

Figure 2: Attack chain showing the Hades flow.
On May 11, 2026, TeamPCP exploited a pull_request_target misconfiguration in the TanStack open-source monorepo to bypass Supply-chain Levels for Software Artifacts (SLSA) provenance attestation.
pull_request_target is a GitHub Actions workflow trigger that, unlike pull_request, executes in the context of the target (base) repository rather than the contributor's fork, granting the workflow access to repository secrets. The misconfiguration is common in open-source projects that accept external contributions without restricting which workflows execute in the privileged context.
According to public reporting, the attack chain worked as follows:
pull_request_target workflow in TanStack's CI environment.Runner.Worker process memory.npm publish token.The key distinction from earlier waves is that no maintainer credentials needed to be stolen. The trusted environment itself became the access path.
Within a six-minute window, 84 malicious artifacts were published across 42 @tanstack/ packages. Those artifacts carried valid Sigstore (fulcio.sigstore.dev) provenance attestations, signed through the legitimate CI path and recorded in the Rekor transparency log. From a cryptographic standpoint, the attestations were valid because TeamPCP ran the malicious build process from inside the trusted system.
Days later, on May 19, the campaign mass-republished the @antv data visualization namespace. Snyk reported roughly 314 versions published within a single six-second window.
Public reporting also linked this broader wave to compromises affecting additional AI-related infrastructure packages, including packages associated with Mistral AI, Guardrails AI, UiPath, and OpenSearch. These libraries are used to access LLM providers, enforce AI safety policies, and build automation workflows.
On May 12, 2026, TeamPCP published the complete worm source code to GitHub under an MIT license with the commit message, "Open Sourcing The Carnage."
The release reportedly included:
The open-sourcing of the toolkit changed the threat landscape and made attribution harder. Before publication, linking multiple waves to the same operator was more straightforward. After May 12, however, the toolkit was publicly available, allowing copycat actors to reuse the same code and tradecraft. As a result, malware overlap or similar operations alone are no longer enough to confidently attribute later activity to the original TeamPCP group.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。