May 2026: TeamPCP’s Supply Chain Blitz Hits Checkmarx, GitHub, and npm

May 2026 was defined by two threat actors operating at full intensity in parallel. ShinyHunters executed a major education-sector attack, exploiting a low-friction account program to breach Instructure’s Canvas platform, defacing login portals at hundreds of universities, and ultimately forcing a settlement. A separate vishing campaign continued the group’s months-long Salesforce extortion pattern, this time hitting Charter Communications. Meanwhile, TeamPCP maintained the supply chain pressure it had been building since March, backdooring the Checkmarx Jenkins plugin through credentials retained from earlier compromises, then executing a same-day double strike on May 19 that hit GitHub’s internal repositories and flooded npm with 639 malicious packages.

ShinyHunters Exploited Canvas Free Teacher Accounts to Breach 275 Million Records Across 9,000 Schools

Instructure confirmed unauthorized access to its Canvas Learning Management System on May 1, 2026, after detecting suspicious activity on April 29. ShinyHunters claimed responsibility on May 3, set a May 7 ransom deadline extended to May 12, and alleged exfiltration of 3.65 terabytes covering roughly 275 million records across approximately 9,000 institutions.

The entry point was the Free-For-Teacher account program, a low-friction sign-up path with no institutional verification that shared infrastructure with paid institutional deployments. Exposure ran from April 30 to May 7. Confirmed data included names, email addresses, student IDs, and some private messages between students and teachers. Passwords, financial data, and government identifiers were not involved.

When Instructure pushed a patch rather than engaging, ShinyHunters defaced login portals at roughly 330 institutions. Instructure took the platform offline on May 7, restored it the following day, and permanently shut down the Free-For-Teacher program.

On May 11 the company apologized for a lack of transparency and confirmed a settlement with the attackers, claiming the stolen data was destroyed. This was the second ShinyHunters attack against Instructure in under a year.

ShinyHunters Claimed 42 Million Charter Records After Salesforce Vishing Attack

Charter Communications confirmed a cybersecurity incident in late May 2026 after ShinyHunters posted an alleged 42 million Charter records to its Dark Web leak site on May 28, following failed ransom negotiations. Have I Been Pwned identified 4.9 million unique email addresses in the exposed dataset.

ShinyHunters claimed the intrusion began with a vishing call that yielded a Microsoft Entra account, used to pivot into Charter’s Salesforce environment. Claimed stolen data included names, email addresses, physical addresses, phone numbers, plan information, support ticket contents, and some Customer Proprietary Network Information. Charter disputed the CPNI claim, stating no sensitive personal information or CPNI was exfiltrated. Roughly 85,000 records appear to have come from an internal employee directory, explaining the presence of job titles in the leak. Kemper Corporation was added to Have I Been Pwned around the same time in connection with the same ShinyHunters Salesforce campaign, suggesting Charter was one of several concurrent targets.

ShinyHunters’ campaign has now swept through healthcare, education, telecom, and consumer services across consecutive months, with a consistent playbook of vishing or credential abuse, cloud platform extraction, and public release when negotiations fail. Tracking which organizations are under active pressure, which have been listed, and where stolen data has been distributed requires continuous monitoring rather than point-in-time checks. SOCRadar’s Dark Web Monitoring surfaces threat actor activity across leak sites and forums in real time, while the Cyber Threat Intelligence module maintains up-to-date profiles on ShinyHunters’ infrastructure, methods, and current targeting patterns.

TeamPCP Backdoored Checkmarx Jenkins Plugin Using Credentials Retained From March Trivy Breach

On May 9, 2026, a tampered version of the Checkmarx Jenkins AST plugin labeled 2026.5.09 was published to the official Jenkins Marketplace. Checkmarx confirmed the compromise on May 11. The attack used credentials first obtained during the March 2026 Trivy supply chain breach, which gave TeamPCP standing access to Checkmarx’s GitHub environment. TeamPCP also renamed Checkmarx’s primary GitHub repository as a taunt referencing the company’s repeated failure to rotate secrets.

The malicious plugin, assigned CVE-2026-33634 with a CVSS score of 9.4, harvested GitHub tokens, cloud credentials across AWS, GCP, and Azure, Kubernetes configuration files, SSH keys, and API keys from any Jenkins environment that pulled the update. Checkmarx released a patched version and advised users of 2026.5.09 to treat their environments as compromised and rotate all secrets. This was the third distinct supply chain compromise targeting Checkmarx tooling in six weeks, following the March KICS and GitHub Actions incidents and the April LAPSUS$ data leak, pointing to a persistent access path that earlier remediations had not fully closed.

TeamPCP Breached 3,800 GitHub Internal Repositories Through Poisoned Nx Console Extension

GitHub confirmed on May 20, 2026, that a malicious version of the Nx Console VS Code extension, a widely used developer tool with approximately 2.2 million installs and verified publisher status, had been installed on an employee’s device. The poisoned version was live on the Visual Studio Marketplace for just 18 minutes on May 18, between 12:30 and 12:48 UTC, and that window was enough for at least one GitHub employee to install it.

The payload harvested credentials from 1Password vaults, npm and GitHub tokens, AWS credentials, and Anthropic Claude Code configurations, which TeamPCP used to clone roughly 3,800 internal GitHub repositories and list the stolen contents on the Breached forum for $50,000. GitHub isolated the affected endpoint, removed the extension, and rotated credentials within hours. The company found no evidence of impact to customer data or enterprise accounts.

CISA added CVE-2026-48027, tied to the Nx Console compromise, to its Known Exploited Vulnerabilities catalog on May 27. On the same day, researchers independently identified that TeamPCP had also compromised Microsoft’s durabletask Python SDK on PyPI, underscoring the group’s simultaneous operational tempo.

TeamPCP Flooded npm with 639 Malicious Package Versions in One Hour via Mini Shai-Hulud Worm

On May 19, 2026, TeamPCP published 639 compromised package versions across 323 unique npm packages in roughly one hour as part of a new Mini Shai-Hulud wave. Most of the activity targeted the @antv data visualization ecosystem, which collectively accounts for approximately 16 million weekly downloads. Security firm Socket flagged most packages within 6 to 12 minutes of publication.

The attack began with a compromised npm maintainer account. The embedded payload swept over 130 file patterns for developer secrets, including GitHub tokens, npm credentials, AWS, GCP, and Kubernetes configurations, SSH keys, and database credentials, and exfiltrated them over the Session P2P network to hinder detection and takedown.

The worm also abused stolen GitHub tokens to commit encrypted stolen data to repositories created under victims’ own accounts, with over 2,700 such repositories identified. It further used stolen npm publishing credentials to self-propagate by injecting its payload into additional packages and republishing them under compromised maintainer identities. The Shai-Hulud campaign has been active since September 2025, with the total count of compromised package artifacts tracked by researchers now exceeding 1,000.

Monitor Your Exposure with SOCRadar XTI

The incidents that defined May 2026 did not stay confined to their initial victims. ShinyHunters published millions of records across Dark Web channels. TeamPCP’s stolen CI/CD credentials continue enabling follow-on compromises months after initial exfiltration. And Shai-Hulud’s self-propagating design means secrets stolen from one developer environment can surface as access credentials elsewhere long after the original package was patched.

SOCRadar XTI brings together multiple modules that directly address this month’s incidents, such as:

• Dark Web Monitoring: Watches leak sites, paste channels, and criminal forums around the clock for exposed credentials, stolen data, threat actor mentions, and leaked source code.

• Cyber Threat Intelligence: Maintains continuously updated profiles on groups like ShinyHunters, TeamPCP, and LAPSUS$, covering their current TTPs, active infrastructure, and targeting patterns.
• Supply Chain Intelligence: Tracks exposure risks across your third-party developer ecosystem before a compromised plugin or poisoned package becomes your incident.

With SOCRadar XTI modules, your security team stops reacting to breach disclosures and starts intercepting threats before they reach the headline stage.