Overview
Threat intelligence reports indicate that cybercriminal group TeamPCP, in collaboration with the underground forum BreachForums, has launched a new competition designed to encourage open-source supply chain attacks.
The contest offers a relatively small reward — $1,000 in Monero (XMR) — but the real incentive appears to be access, reputation, and downstream exploitation opportunities within compromised development ecosystems.
Contest Structure
The competition centers around participants deploying a malicious open-source tool known as:
- “Shai-Hulud”
Participants are instructed to:
- Infect open-source software packages
- Submit forum identities and proof of access
- Maximize distribution across repositories and CI/CD pipelines
Scoring System
Winners are determined based on:
- Weekly download counts of compromised packages
- Monthly aggregated infection metrics across multiple projects
This system effectively encourages:
- Worm-like propagation across ecosystems
- Mass compromise of low-value dependencies
- Abuse of package registries and build pipelines

Attack Model
The contest incentivizes attackers to compromise:
- Open-source package registries (e.g., npm, PyPI)
- CI/CD pipelines (GitHub Actions, build systems)
- Container images (Docker registries)
- Developer tooling environments
Once compromised, attackers can extract:
- Cloud credentials
- CI/CD secrets
- API tokens
- Source code repositories
- Internal deployment keys
Security researchers warn that even low-value initial access can lead to high-value downstream compromise in enterprise environments.
Security Implications
Although the prize pool is only $1,000, analysts warn the real damage potential is significantly higher.
Why the Risk Is High
- Supply chain access scales beyond individual targets
- Compromised packages are reused across thousands of systems
- CI/CD pipelines often contain privileged credentials
- Infection can persist across updates and builds
This creates a situation where attackers may gain:
- Persistent access to enterprise environments
- Stealthy credential harvesting capabilities
- Secondary exploitation pathways into cloud infrastructure
Strategic Motivation
Security researchers believe the contest is not primarily about the financial reward.
Instead, it appears to function as:
- A recruitment mechanism for lower-tier hackers
- A crowdsourced attack engine for mass compromise
- A reputation system within cybercrime forums
By lowering the barrier to entry, the campaign encourages inexperienced attackers to perform initial compromises while more advanced actors exploit the resulting access.
Known Threat Actor Activity
According to threat intelligence reporting:
- TeamPCP has previously targeted:
- CI/CD pipelines
- GitHub Actions workflows
- Docker images
- npm and PyPI packages
The group is also reportedly linked to:
- Credential theft operations
- Ransomware ecosystem partnerships
- Targeting of AI firms and enterprise cloud environments
Tooling: “Shai-Hulud”
The malware framework referenced in the contest, Shai-Hulud, is described as a supply chain exploitation tool designed to:
- Automate package compromise
- Spread malicious updates
- Harvest developer and cloud credentials
- Enable lateral movement through build systems
Its deployment significantly increases the speed and scale of compromise across open-source ecosystems.
Expert Assessment
Security analysts warn that this type of competition introduces:
- Increased volume of opportunistic attacks
- Faster propagation of supply chain compromises
- Greater risk to maintainers of widely used packages
- Higher likelihood of downstream enterprise breaches
Even with minimal monetary incentive, the structure encourages measurable ecosystem-wide risk expansion.
Conclusion
The TeamPCP–BreachForums contest represents a concerning evolution in cybercrime strategy: gamifying supply chain compromise to drive scale rather than sophistication.
While the monetary reward is small, the operational impact could be significant, particularly for open-source maintainers and organizations relying heavily on third-party dependencies.
Defenders are advised to:
- Audit CI/CD security configurations
- Monitor dependency integrity
- Enforce strict package signing and verification
- Review build pipeline credential exposure