TeamPCP Supply Chain Campaign

hackerbot-claw is an automated penetration testing bot that scans GitHub for vulnerable projects—its user agent and behavioral patterns differ from the main attacker. MegaGame10418 is the actor who exploited the February 27 PwnRequest, exfiltrating the aqua-bot PAT. Aqua's official post-mortem confirms: "The user agent and behavioral patterns of hackerbot-claw are different than the other events inspected."

The imposter commits (1885610c, 70379aad) never merged into main. They exist in GitHub's object store due to cross-fork object sharing. The attack worked because a malicious tag (v0.69.4) was pushed that referenced these orphan commits—triggering CI/CD builds without any merge or review.

GhostClaw is a separate campaign with different TTPs and IOCs. TeamPCP uses tag hijacking and CI/CD exploitation; GhostClaw uses npm typosquatting and AI workflow hooks. Different infrastructure (registrars, C2 patterns), more social engineering-focused payloads (fake CLI installers with progress bars), and different persistence mechanisms (shell hooks, cron jobs vs. GitHub Actions). No shared IOCs or attribution overlap identified.

TeamPCP's campaigns were inspired by and named after the Dune-themed Shai-Hulud malware, but they are distinct operations. The original Shai-Hulud worm preceded TeamPCP's activity. TeamPCP adopted the branding ("Mini Shai-Hulud") for their own campaigns, creating attribution confusion.

The "Claude Code source leak" was not a TeamPCP operation. It resulted from a bundling mistake where JavaScript source was inadvertently included in a release. This was a build/packaging error, not a supply chain attack or breach.

TeamPCP did not forge or cryptographically bypass SLSA attestations. They achieved RCE within the release pipeline itself (via cache poisoning and pull_request_target exploitation), meaning the attestations were legitimately generated for malicious code. The build system was compromised, not the attestation cryptography. Additionally, this attack vector was already documented—see slsa-framework/slsa#1235 (Nov 2024).

No shared infrastructure or hard evidence links Megalodon to TeamPCP. Some theorized Megalodon could have been the source of stolen credentials used in TeamPCP attacks, but infostealer logs as a credential source is a competing—and more plausible—explanation.

A PureHVNC campaign was briefly misattributed to TeamPCP based on superficial similarities. OpenSourceMalware's analysis found the overlap limited to generic malware behaviors shared by thousands of campaigns. Strong negative indicators—no shared cryptographic keys, no infrastructure overlap, no supply chain delivery, no shared tooling, no TeamPCP branding—make attribution untenable. Most likely a commodity cybercrime operator who purchased PureHVNC and customized delivery with a bespoke PowerShell loader.

The ru_* locale exit condition is a common malware trope, not a reliable attribution indicator. Antiy Labs analysis offers a good breakdown of how TeamPCP deliberately mixes contradictory geopolitical markers: Russian folklore vocabulary with English anomalies ("RICHARD", "FIREBIRD"), Iranian/Israeli targeting in the same function, and destructive "roulette" logic that contradicts their profit motive. This is deliberate false-flag pollution, not authentic origin markers.