Contextualize Prioritize and ACT ON RISK
Login
Get Access
Demo

blog

Phoenix Security – August Release – 3.29. Private version

Phoenix Security Private release 3.29 cover
This content is password protected. To view it please enter your password below:

Picture of Rowan Scott

Rowan Scott

Rowan supports customers throughout their journey at Phoenix Security, ensuring smooth onboarding, responsive support, and lasting success. With a background in a Mathematics and Data Science degree, he combines analytical insight with clear communication to bridge technical solutions and customer needs. He first joined Phoenix Security as an intern, where he documented use cases and built knowledge base content — experience that laid the foundation for his current role driving customer satisfaction and success.
14th August 2025
Rowan supports customers throughout their journey at Phoenix Security, ensuring smooth onboarding, responsive support, and lasting success. With a background in a Mathematics and Data Science degree, he combines analytical insight with clear communication to bridge technical solutions and customer needs. He first joined Phoenix Security as an intern, where he documented use cases and built knowledge base content — experience that laid the foundation for his current role driving customer satisfaction and success.

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

Join Slack community
Linkedin-in Youtube Facebook-f Twitter Instagram

From our Blog

devsecops, ASPM, vulnerability management, application security, exposure management, reachability analysis, attack surface management, npm supply chain, account takeover, TeamPCP, Mini Shai-Hulud, atool, AntV, jest-canvas-mock, echarts-for-react, Runner.Worker memory scraping, zero-CVE supply chain, CI/CD credential theft, bun runtime, t.m-kosche.com, SBOM
  • 20th May 2026

GitHub Internal Repository Breach via Poisoned VS Code Extension (May 2026): TeamPCP Exfiltrates 3,800 Repos Through the Developer Trust Surface

TeamPCP (UNC6780) breached GitHub’s internal infrastructure on May 19–20, 2026 through a poisoned VS Code extension that ran silently on a developer’s endpoint and exfiltrated approximately 3,800 internal repositories. The attack produced no CVE. Standard CVE-feed scanners, SCA tools, and signed-provenance checks all missed it. This is exactly the zero-CVE developer trust surface gap Phoenix Blue Intelligence and Phoenix Blue Shield are built to close.
Francesco Cipollone
devsecops, ASPM, vulnerability management, application security, exposure management, reachability analysis, attack surface management, npm supply chain, account takeover, TeamPCP, Mini Shai-Hulud, atool, AntV, jest-canvas-mock, echarts-for-react, Runner.Worker memory scraping, zero-CVE supply chain, CI/CD credential theft, bun runtime, t.m-kosche.com, SBOM
  • 20th May 2026

TeamPCP Wave Four: GitHub Breach via Poisoned VS Code Extension, durabletask PyPI Worm, and ~4,000 Internal Repositories Exfiltrated

TeamPCP’s Mini Shai-Hulud worm hit GitHub and PyPI simultaneously on May 19–20, 2026. Three backdoored versions of durabletask — Microsoft’s Azure Python SDK with 417,000 monthly downloads — were published and yanked within hours. A poisoned VS Code extension on a GitHub employee device led to the exfiltration of ~3,800 internal repositories, now listed for sale at $50,000. Zero CVEs exist across the entire nine-week campaign. Traditional scanners have no record of any of it.
Francesco Cipollone
devsecops, ASPM, application security, vulnerability management, exposure management, reachability analysis, attack surface management, supply chain attack, npm malware, PyPI malware, TanStack supply chain attack, OpenAI Mini Shai-Hulud, Mistral AI compromise, TeamPCP, FIRESCALE, BreachForums contest, Shai-Hulud, Mini Shai-Hulud, Phantom Bot, npm typosquatting, infostealer, zero-CVE gap, malicious npm packages, supply chain copycat, code-signing certificate rotation, PHX-Neural, behavioral package scanning, nicegui PyPI
  • 18th May 2026

Mini Shai-Hulud Copycats and the TanStack Wave: OpenAI Hit, Mistral Extorted, and Four Copycat npm Packages Hit the Registry

OpenAI has disclosed two employee devices were compromised in the May 11, 2026 Mini Shai-Hulud TanStack supply chain attack, with internal source code repositories accessed and iOS, macOS, and Windows code-signing certificates rotated. Mistral AI confirmed one developer device was hit and is facing a $25,000 TeamPCP extortion demand for an alleged 5 GB source code leak. Days later, TeamPCP launched a $1,000 Monero “supply chain attack contest” on BreachForums with the Shai-Hulud worm source code attached, and OX Security disclosed the first observed copycat campaign from a new actor publishing four malicious npm packages. Phoenix Security’s PHX-Neural scanner has independently flagged a 174,659-weekly-download PyPI package (nicegui 3.12.0) with a 100/100 behavioral score and full Shai-Hulud-aligned ATT&CK coverage. This article covers the upstream TanStack wave, the named victim disclosures, the TeamPCP infrastructure aging analysis, the technical breakdown of the four copycat packages, and the PHX-Neural behavioral evidence on the adjacent PyPI signal.
Francesco Cipollone

3 critical zero-days. 1 exploit chain. Claude Code. Phoenix Security found what Anthropic missed →

Derek

Derek Fisher

Linkedin

Head of product security at a global fintech

Derek Fisher – Head of product security at a global fintech. Speaker, instructor, and author in application security.

Derek is an award winning author of a children’s book series in cybersecurity as well as the author of “The Application Security Handbook.” He is a university instructor at Temple University where he teaches software development security to undergraduate and graduate students. He is a speaker on topics in the cybersecurity space and has led teams, large and small, at organizations in the healthcare and financial industries. He has built and matured information security teams as well as implemented organizational information security strategies to reduce the organizations risk.

Derek got his start in the hardware engineering space where he learned about designing circuits and building assemblies for commercial and military applications. He later pursued a computer science degree in order to advance a career in software development. This is where Derek was introduced to cybersecurity and soon caught the bug. He found a mentor to help him grow in cybersecurity and then pursued a graduate degree in the subject.

Since then Derek has worked in the product security space as an architect and leader. He has led teams to deliver more secure software in organizations from multiple industries. His focus has been to raise the security awareness of the engineering organization while maintaining a practice of secure code development, delivery, and operations.

In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

Jeevan Singh

Jeevan Singh

Linkedin

Founder of Manicode Security

Jeevan Singh is the Director of Security Engineering at Rippling, with a background spanning various Engineering and Security leadership roles over the course of his career. He’s dedicated to the integration of security practices into software development, working to create a security-aware culture within organizations and imparting security best practices to the team.
In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

James

James Berthoty

Linkedin

Founder of Latio Tech

James Berthoty has over ten years of experience across product and security domains. He founded Latio Tech to help companies find the right security tools for their needs without vendor bias.

christophe

Christophe Parisel

Linkedin

Senior Cloud Security Architect

Senior Cloud Security Architect

Chris

Chris Romeo

Linkedin

Co-Founder
Security Journey

Chris Romeo is a leading voice and thinker in application security, threat modeling, and security champions and the CEO of Devici and General Partner at Kerr Ventures. Chris hosts the award-winning “Application Security Podcast,” “The Security Table,” and “The Threat Modeling Podcast” and is a highly rated industry speaker and trainer, featured at the RSA Conference, the AppSec Village @ DefCon, OWASP Global AppSec, ISC2 Security Congress, InfoSec World and All Day DevOps. Chris founded Security Journey, a security education company, leading to an exit in 2022. Chris was the Chief Security Advocate at Cisco, spreading security knowledge through education and champion programs. Chris has twenty-six years of security experience, holding positions across the gamut, including application security, security engineering, incident response, and various Executive roles. Chris holds the CISSP and CSSLP certifications.

jim

Jim Manico

Linkedin

Founder of Manicode Security

Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. Jim is also the founder of Brakeman Security, Inc. and an investor/advisor for Signal Sciences. He is the author of Iron-Clad Java: Building Secure Web Applications (McGraw-Hill), a frequent speaker on secure software practices, and a member of the JavaOne Rockstar speaker community. Jim is also a volunteer for and former board member of the OWASP foundation.

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.

The IKIGAI concept
x Powerful Protection for WordPress, from Shield Security PRO
This Site Is Protected By
Shield Security PRO