TeamPCP and BreachForums Launch $1,000 Contest for Supply Chain Attacks

A cybercrime operation is turning software supply chain attacks into a public competition. TeamPCP, in collaboration with BreachForums operators, has launched a $1,000 contest that rewards hackers for compromising open-source packages, and the implications stretch far beyond the prize money.

The campaign, first highlighted by Dark Web Informer, was announced on BreachForums by an account believed to be the forum’s owner.

Participants must use a tool called “Shai-Hulud” to compromise open-source packages and submit proof of access alongside their forum identity.

The winner receives $1,000 in Monero, plus reputation points and community recognition within the cybercrime ecosystem.

What makes the contest particularly dangerous is its scoring model. Points are awarded based on weekly and monthly download counts of compromised packages, meaning widely used libraries earn the highest scores.

However, attackers can also stack multiple smaller compromises to boost their totals. This dual incentive pushes participants toward both targeted and indiscriminate attacks, blanketing open-source ecosystems rather than focusing on individual high-value targets.

Security researchers warn that this behavior mirrors worm-like propagation, where malicious code spreads aggressively across multiple entry points to maximize reach.

Rather than precision strikes, the contest actively promotes widespread, opportunistic infections across npm, PyPI, GitHub Actions, Docker images, and OpenVSX extensions platforms that TeamPCP has already been documented targeting.

Hackers Launch $1K Supply Chain Attack Contest

TeamPCP has released the Shai-Hulud attack tool as open-source malware, hosted on BreachForums infrastructure.

A copy briefly surfaced on GitHub before being removed, according to users monitoring the repository on X.

By making the tooling publicly available, the group has effectively lowered the skill threshold for participating in supply chain attacks.

Capabilities that previously required advanced expertise are now accessible to less experienced actors.

Analysts believe the contest is less about the $1,000 reward and more about recruitment and visibility.

A successful supply chain compromise can expose CI/CD pipeline secrets, cloud credentials, maintainer tokens, source code repositories, and enterprise environments access that can be monetized far beyond four figures, particularly when sold to ransomware groups or access brokers.

The contest appears to extend an existing credential-harvesting pipeline. Previous campaigns attributed to TeamPCP have reportedly impacted AI development, manufacturing, financial services, and government cloud platforms.

There are also overlapping claims involving groups like Vect, ShinyHunters, and Lapsus$, complicating attribution even when attacks trace back to similar supply chain compromises.

By offering a public leaderboard and forum status, TeamPCP is attracting lower-tier actors willing to trade high-value access for recognition, dramatically increasing the volume of reckless attacks hitting open-source maintainers and security teams.

For organizations dependent on open-source software, this development intensifies an already serious threat landscape. TeamPCP isn’t just exploiting existing vulnerabilities; it is actively recruiting a new wave of attackers and gamifying the destruction of software supply chain trust.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post TeamPCP and BreachForums Launch $1,000 Contest for Supply Chain Attacks appeared first on Cyber Security News.