TeamPCP and BreachForums Launch $1,000 Contest for Supply Chain Attacks

TeamPCP, a group known for targeting security tools and critical open-source infrastructure, is promoting a competition on BreachForums that incentivizes participants to compromise open-source packages using Shai-Hulud, an open-source attack tool they released. The contest offers a $1,000 reward in Monero for participants who can achieve the most significant compromises, judged by download counts of affected packages, which can include both high-impact single targets and a combination of smaller ones. Despite the seemingly small reward for the level of access required—potentially exposing sensitive CI/CD secrets, cloud credentials, and downstream enterprise environments—the competition acts as a recruitment strategy for lower-tier actors, turning the supply chain compromise into a leaderboard for recognition. This move has been criticized as a public stunt that trivializes modern security efforts and encourages copycat attacks, further burdening maintainers and security teams already grappling with persistent open-source supply chain vulnerabilities.