Pulse Detail — Threat Intelligence

PULSE NAME

The Worm That Keeps on Digging: TeamPCP Hits @antv in Latest Wave

WHITE Teampcp PetrP.73 2026-05-21 Modified: 2026-05-22

IOCs

LOW VOLUME

TeamPCP has reemerged as a threat actor involved in a multi-ecosystem supply chain compromise affecting open-source software components, specifically targeting GitHub, NPM packages, and a VSCode extension. The campaign, which was observed on May 19th, uses distributed malware designed to extract credentials, exfiltrate sensitive information, and ensure continued access to infected systems. This malware primarily targets the npm packages within the @antv namespace, GitHub Actions like actions-cool/issues-helper, and the nrwl.angular-console VSCode extension.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1059.006 T1071.001 T1105 T1195.001 T1528 T1552.004 T1552.003 T1567.001

Indicators of Compromise (5)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 IPv4 domain

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	b06b126b9e26af03a7ef2f8b8e90d446	—	2026-05-21
FileHash-SHA1	783b4019fc5b942a29846132d28441c8fc31bed8	—	2026-05-21
FileHash-SHA256	fb5c97557230a27460fdab01fafcfabeaa49590bafd5b6ef30501aa9e0a51142	—	2026-05-21
IPv4	185.95.159.32	CC=BG ASN=AS3320 deutsche telekom ag	2026-05-21
domain	m-kosche.com	—	2026-05-21

References (1)

↗ https://www.wiz.io/blog/mini-shai-hulud-teampcp-hits-antv-supply-chain