Threat Analysis: PyPI and npm Supply Chain Attacks, What UK SMBs Need to Know About the TeamPCP Campaign
Hello, Mauven here.
A coordinated software supply chain campaign has compromised at least five packages across PyPI and npm in the past seven days. The threat group behind it β designated UNC6780 by Googleβs Threat Intelligence Group, tracked separately as TeamPCP β is not a new actor. What is new is the tempo: three concurrent package compromises executed within a single week, following a 26-day operational pause. That pause was not inactivity. That was planning.
This matters to UK SMBs for a reason that most coverage will not spell out: you do not need to be writing code yourself to be exposed. If your IT provider manages Python environments, runs automated build pipelines, or deploys AI tooling, the packages compromised this week may already be sitting in your infrastructure.
What Was Compromised
The SANS Internet Storm Centerβs Update 008 on the TeamPCP campaign, published today, confirms three concurrent compromises in the week of 20β26 April 2026:
xinference β an open-source distributed AI model inference framework. Attackers compromised PyPI release credentials belonging to the package maintainers and published three malicious versions: 2.6.0, 2.6.1, and 2.6.2. The malicious code was embedded in __init__.py behind multiple layers of Base64 encoding and executed automatically on library installation or import, collecting cloud credentials and exfiltrating them. This is not an obscure package. It is used in AI deployment pipelines across professional services and technology firms.
elementary-data β a PyPI package with 1.1 million monthly downloads, according to BleepingComputerβs reporting published today. An attacker pushed a malicious version targeting developer credentials and cryptocurrency wallets. At 1.1 million monthly downloads, the blast radius here is significant.
telnyx Python SDK β versions 4.87.1 and 4.87.2 contained embedded credential-harvesting malware. Socket.devβs analysis describes a three-stage runtime chain: audio steganography for payload delivery, in-memory execution of a data harvester, and encrypted exfiltration. On Windows systems, the malware drops a persistent binary in the Startup folder. On Linux and macOS, it operates fileless. The use of steganography to conceal the payload is noteworthy β it is specifically designed to evade static analysis tools.
Also within the same campaign window: a malicious @bitwarden/cli lookalike package pushed across multiple distribution channels including Docker Hub, GitHub Actions, and VS Code extensions; and a compromise affecting Checkmarx KICS, a tool used specifically for security scanning of infrastructure-as-code.
That last one deserves a moment of your attention. The security scanning tool was compromised. If your organisation uses KICS to validate that your cloud configurations are safe, and that tool itself was serving malicious code, your security checks were not checking anything.
What the Advisories Are Not Saying
The SANS ISC diary entry documents this comprehensively. What it does not contextualise for a UK SMB audience is the prior history of this group.
UNC6780 previously stole Cisco source code via credentials harvested through a compromised Trivy integration β Trivy being another security scanning tool. The pattern is consistent: target the tooling that developers trust, that runs with elevated permissions, that is assumed safe because it is categorised as a security product. Compromise that, and you get access to everything it touches.
This is not opportunistic credential theft. This is a persistent campaign with a methodology: identify trusted developer tooling, compromise it at the supply chain level, harvest the credentials that flow through it, and monetise upstream. The 26-day pause before this weekβs triple compromise is itself significant β it suggests operational discipline, not a rushed grab.
The CISA KEV remediation deadline for CVE-2026-33634, associated with earlier TeamPCP activity, lapsed without a standalone federal advisory. Draw your own conclusions about the priority being applied to this threat at the regulatory level.
The AI Tooling Angle
Field Effect MDR identified a separate but thematically related incident on 23 April: AMOS Stealer delivered through a compromised Cursor AI agent session running Claude Code. The attack used social engineering to manipulate an operator into prompting the AI agent to download and execute malicious AppleScript loaders.
I raise this not to conflate it with the TeamPCP campaign β I am not inferring a connection where none has been confirmed β but because it illustrates a broader shift in attack surface that UK businesses are not yet accounting for. AI coding assistants and agent frameworks are increasingly present in development environments. They run with broad file system access. They can be manipulated through prompt injection or social engineering into executing attacker-controlled code. The security models built for traditional software do not translate cleanly to agentic AI tooling.
If your developers are using AI coding assistants β and the probability that they are is high β the question of what those agents can be instructed to do, and by whom, is one worth asking your IT provider this week.
What UK SMBs Should Do Now
This is not theoretical exposure. These packages are in active use across UK businesses, particularly in professional services, technology, and any firm that has adopted AI tooling in the past 18 months.
Immediate actions:
-
Audit your Python and Node.js dependency trees. Ask your IT provider or development team to run a dependency audit specifically looking for xinference, elementary-data, telnyx (Python SDK), and any @bitwarden/cli packages. The malicious versions are known; checking against them is straightforward.
-
Rotate cloud credentials. If any of the compromised packages were present in your environments, treat your cloud credentials as potentially compromised. Rotate AWS, Azure, and GCP access keys. Review your IAM logs for anomalous API calls since 20 April.
-
Check your security scanning tooling. If you use Checkmarx KICS, verify you are not running a compromised version and review any scans run during the compromise window. A security scan conducted by compromised tooling cannot be trusted.
-
Ask your MSP the direct question. If you use a managed IT or managed security provider, ask them specifically whether these packages are present in any environment they manage on your behalf, and what their process is for monitoring supply chain compromises in third-party tooling. If they cannot answer that question confidently, that is information you need.
-
If your developers use AI coding agents, establish a policy on what those agents are permitted to do. Specifically: they should not be able to install packages or execute scripts without explicit human review of what they are installing and why.
The NCSC has published guidance on software supply chain security. The fact that package compromise at this scale is still catching organisations unprepared tells you everything about how consistently that guidance is being applied.
Sources
| Source | Title | URL |
|---|---|---|
| BleepingComputer | PyPI package with 1.1M monthly downloads hacked to push infostealer | https://www.bleepingcomputer.com/news/security/pypi-package-with-11m-monthly-downloads-hacked-to-push-infostealer/ |
| SANS Internet Storm Center | TeamPCP Supply Chain Campaign: Update 008 | https://isc.sans.edu/diary/rss/32926 |
| Socket.dev | Telnyx Python SDK Compromised to Deliver Credential-Stealing Malware | https://socket.dev/blog/telnyx-python-sdk-compromised |
| Palo Alto Unit 42 | The npm Threat Landscape: Attack Surface and Mitigations | https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/ |
| AlienVault OTX | Supply Chain Poisoning via PyPI Repository Compromise (xinference) | https://otx.alienvault.com |
| Field Effect MDR | AMOS Stealer delivered via Cursor AI agent session | https://fieldeffect.com/blog/field-effect-detects-amos-stealer-delivered-via-cursor-ai-agent-session |