TeamPCP and BreachForums Hackers Running $1,000 Contest for Supply

The cybercrime underworld is turning open-source supply chain attacks into a twisted competition.

After months of infiltrating security tools and CI/CD pipelines, the notorious hacking group TeamPCP has partnered with BreachForums to launch a disturbing new contest.

The objective is to compile as many open-source packages as possible. The prize, however, is a surprisingly small payout of $1,000 in Monero cryptocurrency.

According to dark web threat intelligence, the contest requires participants to deploy an open-source attack tool called “Shai-Hulud.”

Hackers must submit their forum handles and provide proof of access to qualify.

Winners are determined by the weekly and monthly download counts of the packages they infect.

By allowing attackers to combine the download counts of multiple smaller packages, the scoring system actively encourages reckless, worm-like attacks that spread indiscriminately across the software ecosystem.

Hackers Launch Supply Chain Contest

While the threat to the supply chain is severe, the $1,000 reward is comically low for the damage being done.

Successful supply chain attacks expose highly valuable assets, including CI/CD secrets, cloud credentials, developer tokens, and enterprise source code.

To skilled cybercriminals, this level of access is worth vastly more than a thousand dollars. Security experts view this contest as a strategic public recruitment stunt.

It is designed to lure lower-tier hackers who are willing to burn valuable access simply for reputation and bragging rights on cybercrime forums.

By crowdsourcing these attacks, TeamPCP is effectively tricking novice hackers into doing the heavy lifting. At the same time, they reap the broader rewards of the compromised infrastructure.

TeamPCP has a well-documented history of targeting critical infrastructure, GitHub Actions, Docker images, and package managers like npm and PyPI.

They specialize in breaching tools that already hold privileged access, allowing them to harvest credentials for secondary attacks.

According to Socket Research, the group recently partnered with the ransomware syndicate Vect, with its credential theft operations already impacting AI firms, government cloud services, manufacturing, and enterprise technology.

By releasing Shai-Hulud as an open-source tool, TeamPCP is extending its access-broker pipeline outward.

A $1,000 prize might not attract elite threat actors. However, for overworked maintainers and enterprise security teams, the resulting wave of copycat attacks adds a dangerous new layer of risk to the open-source ecosystem.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.