Breaking News: TeamPCP has gone open source — and the copycats are already here. The group behind Shai-Hulud has leaked their own malware code to GitHub, and independent threat actors have already begun modifying it and expanding its reach. OX Security is actively tracking this as it unfolds.
TeamPCP has escalated. The group behind Shai-Hulud is now spreading not just their malware, but their own source code, using what appear to be compromised GitHub accounts.
Currently 2 repositories are active, but that number is growing as infections spread.
New repositories can be monitored in real time using this link. Search GitHub for “A Gift From TeamPCP.”
The repository isn’t just source code; it’s a full instruction manual. TeamPCP’s main page walks anyone through exactly how to deploy the malware.
The commit history raises immediate flags. Every commit is dated January 1, 2099 – a deliberate obfuscation technique – with no identifying details beyond the handles TeamPCP_OSS and TeamPCP.
TeamPCP isn’t just hiding their tracks — they’re hiding them in the future.
All commits carry that same future-dated timestamp. But the trail doesn’t end there. A forked version of the repository shows additional code contributed by an account called “agwagwagwa.”
This account contains a name with two letters in Hebrew, an Anthropic refusal string, and other unrelated stuff next to the Shai Hulud fork.
Three GitHub accounts have been identified as potentially affiliated with the newly public Shai-Hulud code:
- agwagwagwa
- headdirt
- tmechen
Whether these are TeamPCP members or independent actors who spotted an opportunity, it’s too early to say. But all three are worth watching.
agwagwagwa has already submitted a pull request adding FreeBSD support, expanding the malware’s potential reach.
Why do we think they are affiliated with TeamPCP? Well… cats.
TeamPCP’s theme is cats, and agwagwagwa’s GitHub account has a “meow!” repository inside. Does this mean they are part of the group? We can’t know for sure, but it is very, very suspicious.
The repository also contains what’s known as an “Anthropic Magic String” – a string of text designed to prevent Claude Code from analyzing the profile. Someone doesn’t want AI eyes on their work.
tmechen’s profile picture is a… cat too. But there’s no other relevant malicious activity relating him to the group.
headdirt’s account is private.
By analyzing the malware’s source code, the same patterns from previous Shai-Hulud attacks are immediately recognizable, as expected. This includes uploading stolen credentials to a new GitHub repository.
Sending the information to a predefined C2 server.
Exfiltrating secrets, credentials, crypto wallets, accounts and more.
And we even found code directly targeting Claude Code configurations, by adding hooks to execute the malware when Claude starts.
TeamPCP isn’t just spreading malware anymore – they’re spreading capability. By going open source, they’ve handed any willing actor the tools to build their own variant. The copycats are already here.
