A sophisticated supply chain campaign targeting the open source developer ecosystem has emerged, compromising NPM packages in the @antv namespace, GitHub Actions including actions-cool/issues-helper, and the VSCode extension nrwl.angular-console. The malware initiates multi-stage infection chains using GitHub-hosted infrastructure and orphaned commits to deploy payloads via bun. It harvests extensive credentials including GitHub tokens, SSH keys, cloud credentials, and browser secrets, exfiltrating data through attacker-controlled public GitHub repositories. The campaign establishes persistence through a Python backdoor that polls GitHub for signed commands containing specific trigger strings, enabling remote code execution. Infrastructure analysis and operational patterns indicate moderate confidence attribution to the threat actor TeamPCP.