Skip to content
You can now search across every topic, entity and event.What's new
UNC6780
OrganisationXX

UNC6780

Financially motivated supply-chain cluster; open-sourced its Shai-Hulud worm kit with a Monero bounty, franchising industrial repository poisoning.

Last refreshed: 14 June 2026 · Appears in 1 active topic

Key Question

Why did UNC6780 publish its attack toolkit under an open-source licence with a bounty?

Timeline for UNC6780

#73 Jun

Released Shai-Hulud 3.0 as open-source under MIT licence with Monero bounty on 12 May

Cybersecurity: Threats and Defences: Attack worm kit now open-sourced freely
#521 May

Mentioned in: AI orchestration flaw joins CISA's KEV

Cybersecurity: Threats and Defences
#518 May

Deployed trojanised Nx Console extension and cloned ~3,800 GitHub internal repositories

Cybersecurity: Threats and Defences: GitHub's own code cloned via add-on
#411 May

Cloned over 300 private Cisco GitHub repositories using SANDCLOCK-stolen credentials

Cybersecurity: Threats and Defences: UNC6780 takes Cisco AI Defense source code
#48 May

Exploited CVE-2026-42208 within 36 hours of KEV addition, using SANDCLOCK-stolen AWS keys and GitHub tokens

Cybersecurity: Threats and Defences: LiteLLM SQL injection hits in 36 hours
View full timeline →
Common Questions
Who is UNC6780 and what did they steal from Cisco?
UNC6780 (also tracked as TeamPCP) is a financially motivated threat cluster that cloned over 300 private Cisco GitHub repositories on or around 11 May 2026, including the source code of Cisco AI Defense and Cisco AI Assistant, using credentials stolen via the SANDCLOCK malware from the Trivy supply-chain compromise.Source: Google Threat Intelligence Group
What is the SANDCLOCK credential stealer?
SANDCLOCK is the credential-stealing tool used by UNC6780 to harvest GitHub tokens and AWS keys from compromised developer environments, enabling the cluster's access to Cisco and LiteLLM infrastructure.Source: GTIG / SANS Internet Storm Center
How did UNC6780 get into Cisco's GitHub?
UNC6780 compromised the Trivy open-source vulnerability scanner (CVE-2026-33634, March 2026), which held CI/CD pipeline credentials for every project it audited, including Cisco's repositories. SANDCLOCK harvested those credentials and the cluster used them to clone over 300 private Cisco repos.Source: GTIG

Background

UNC6780, also tracked as TeamPCP, emerged as the central actor of Google's Threat Intelligence Group (GTIG) May 2026 threat report. The cluster used the SANDCLOCK credential stealer to harvest GitHub tokens and AWS keys exfiltrated through the March 2026 Trivy supply-chain compromise (CVE-2026-33634), then cloned more than 300 private Cisco GitHub repositories, including the source code of Cisco AI Defense and Cisco AI Assistant. GitHub confirmed an investigation into the unauthorised access. UNC6780 also exploited LiteLLM CVE-2026-42208 within 36 hours of CISA's KEV addition on 8 May 2026, compressing the typical enterprise patch window by roughly 85 per cent and harvesting credentials from BerriAI's commercial infrastructure.

The cluster's operational tempo accelerated through May and June 2026. On 18 May a trojanised build of the Nx Console Visual Studio Code extension (v18.95.0) was live on the VS Marketplace for 18 minutes; a GitHub employee installed it, yielding 1Password vaults, Claude Code configuration, npm, GitHub, and AWS tokens, and enabling the cloning of approximately 3,800 of GitHub's internal private repositories. The cluster listed the haul for sale at $50,000 and up. On 12 May UNC6780 released its Shai-Hulud 3.0 supply-chain worm framework under an MIT licence with a $1,000 Monero bounty for the largest attack built on it, explicitly franchising the technique. A copycat Megalodon operation used the kit on 18 May to poison 5,561 GitHub Actions repositories in six hours. A variant tracked as Phantom Gyp, observed on 3 June, weaponises the binding.gyp native-build file so malicious code executes during npm install via Node's compiler step, bypassing preinstall and postinstall hook monitors.

UNC6780's open-sourcing decision shifts the cluster's threat model from targeted exploitation to ecosystem poisoning at franchise scale. Researchers confirmed valid SLSA provenance attestations on malicious packages distributed via the Shai-Hulud kit, demonstrating that cryptographic origin signatures do not guarantee code Integrity. The Phantom Gyp variant's use of the compiler step is a meaningful evasion innovation: it operates below the hook layer that most supply-chain security tools monitor. The Cisco source-code haul also gives the cluster, or those it transacts with, visibility into the internal architecture of Cisco's LLM-security product portfolio — a forward intelligence advantage whose use is not yet documented.

More questions
How quickly did UNC6780 exploit the LiteLLM vulnerability?
UNC6780 exploited LiteLLM CVE-2026-42208 within 36 hours of CISA adding it to the Known Exploited Vulnerabilities catalogue on 8 May 2026, roughly 85 per cent faster than a typical enterprise patch cycle of five to ten days.Source: GTIG
What is the Shai-Hulud worm framework and why did UNC6780 release it publicly?
Shai-Hulud 3.0 is a supply-chain worm toolkit that UNC6780 released on GitHub under an MIT licence on 12 May 2026, with a $1,000 Monero bounty for the largest attack built using it. The open-source release franchises industrial repository-poisoning at scale without the cluster needing to Conduct each operation itself.Source: Protos Labs / GTIG
How did UNC6780 breach GitHub's internal repositories via a VS Code extension?
UNC6780 uploaded a trojanised Nx Console extension (v18.95.0) to the VS Marketplace on 18 May 2026. A GitHub employee installed it; on startup it harvested developer credentials including 1Password vaults and GitHub tokens, enabling the clone of around 3,800 GitHub internal private repositories in minutes.Source: GitHub Security / CISA Alert AA26-148A
What is Phantom Gyp and how does it bypass supply-chain security tools?
Phantom Gyp is a UNC6780-attributed variant of the Shai-Hulud framework, observed on 3 June 2026. It embeds malicious code in the binding.gyp native-build file so execution happens during npm install's compiler step, below the preinstall and postinstall hook layer that most supply-chain monitors watch.Source: Protos Labs
Source Material