
UNC6780
Financially motivated supply-chain cluster; open-sourced its Shai-Hulud worm kit with a Monero bounty, franchising industrial repository poisoning.
Last refreshed: 14 June 2026 · Appears in 1 active topic
Why did UNC6780 publish its attack toolkit under an open-source licence with a bounty?
Timeline for UNC6780
Released Shai-Hulud 3.0 as open-source under MIT licence with Monero bounty on 12 May
Cybersecurity: Threats and Defences: Attack worm kit now open-sourced freelyMentioned in: AI orchestration flaw joins CISA's KEV
Cybersecurity: Threats and DefencesDeployed trojanised Nx Console extension and cloned ~3,800 GitHub internal repositories
Cybersecurity: Threats and Defences: GitHub's own code cloned via add-onCloned over 300 private Cisco GitHub repositories using SANDCLOCK-stolen credentials
Cybersecurity: Threats and Defences: UNC6780 takes Cisco AI Defense source codeExploited CVE-2026-42208 within 36 hours of KEV addition, using SANDCLOCK-stolen AWS keys and GitHub tokens
Cybersecurity: Threats and Defences: LiteLLM SQL injection hits in 36 hoursWho is UNC6780 and what did they steal from Cisco?
What is the SANDCLOCK credential stealer?
How did UNC6780 get into Cisco's GitHub?
Background
UNC6780, also tracked as TeamPCP, emerged as the central actor of Google's Threat Intelligence Group (GTIG) May 2026 threat report. The cluster used the SANDCLOCK credential stealer to harvest GitHub tokens and AWS keys exfiltrated through the March 2026 Trivy supply-chain compromise (CVE-2026-33634), then cloned more than 300 private Cisco GitHub repositories, including the source code of Cisco AI Defense and Cisco AI Assistant. GitHub confirmed an investigation into the unauthorised access. UNC6780 also exploited LiteLLM CVE-2026-42208 within 36 hours of CISA's KEV addition on 8 May 2026, compressing the typical enterprise patch window by roughly 85 per cent and harvesting credentials from BerriAI's commercial infrastructure.
The cluster's operational tempo accelerated through May and June 2026. On 18 May a trojanised build of the Nx Console Visual Studio Code extension (v18.95.0) was live on the VS Marketplace for 18 minutes; a GitHub employee installed it, yielding 1Password vaults, Claude Code configuration, npm, GitHub, and AWS tokens, and enabling the cloning of approximately 3,800 of GitHub's internal private repositories. The cluster listed the haul for sale at $50,000 and up. On 12 May UNC6780 released its Shai-Hulud 3.0 supply-chain worm framework under an MIT licence with a $1,000 Monero bounty for the largest attack built on it, explicitly franchising the technique. A copycat Megalodon operation used the kit on 18 May to poison 5,561 GitHub Actions repositories in six hours. A variant tracked as Phantom Gyp, observed on 3 June, weaponises the binding.gyp native-build file so malicious code executes during npm install via Node's compiler step, bypassing preinstall and postinstall hook monitors.
UNC6780's open-sourcing decision shifts the cluster's threat model from targeted exploitation to ecosystem poisoning at franchise scale. Researchers confirmed valid SLSA provenance attestations on malicious packages distributed via the Shai-Hulud kit, demonstrating that cryptographic origin signatures do not guarantee code Integrity. The Phantom Gyp variant's use of the compiler step is a meaningful evasion innovation: it operates below the hook layer that most supply-chain security tools monitor. The Cisco source-code haul also gives the cluster, or those it transacts with, visibility into the internal architecture of Cisco's LLM-security product portfolio — a forward intelligence advantage whose use is not yet documented.