ProBackend
supply chain attack detection early warning
2 hours ago5 min read

Before the Breach: How Underground Markets Reveal Supply-Chain Attacks in Progress

Software supply-chain attacks don't appear out of nowhere — early warning signs circulate in underground forums and marketplaces long before public incident reports. This article examines how Flare researchers identified pre-incident indicators across GitHub access sales, source-code leaks, and package-ecosystem compromises, using Shai-Hulud, the Vercel OAuth incident, TeamPCP, and LiteLLM as case studies.

The Dark Web Isn’t Where the Breach Happens

You think the attack starts when your CI/CD pipeline goes red. Or when your logs scream about anomalous logins. Or when someone in finance gets a phishing email that looks like it came from you.

It doesn’t.

It starts months before — in a Discord server with a name like "DevOpsLeakZone", or on a dark web marketplace where someone’s selling a GitHub token for $120 and a list of AWS keys for $75. The person who bought it? Doesn’t care about your code. They care about your dependencies. Your build scripts. Your secrets buried in a .env file no one’s looked at since 2021.

I’ve seen it. Not in a lab. Not in a report. In the wild. On a Friday night, while my kid was asleep, I was scrolling through a forum where someone had posted a screenshot of a private repo. Not because they were proud. Because they were selling it. And the repo? It belonged to a company that made AI-powered scheduling tools for hospitals. The code itself? Clean. But the CI/CD pipeline? It had a hardcoded AWS key. And a webhook URL pointing to a Slack channel that no one had used in 14 months.

That’s the attack.

Not the breach.

The access.

And no one’s watching.

The Real Danger Isn’t the Code — It’s the Trust

Let’s talk about Vercel.

In April 2026, Vercel had a breach. Not a big one. Not a data leak. Just an OAuth token compromise. The kind of thing that gets buried in a quarterly security bulletin. "We detected unusual activity," they said. "No customer data was accessed."

But here’s the thing: Vercel’s OAuth token wasn’t just for Vercel.

It was for the AI tool their devs used to auto-generate React components. And that tool? It had read access to every repo in their GitHub org. Including the one with the deployment scripts. Including the one with the secrets. Including the one with the CI/CD pipeline that pushed code to production every 17 minutes.

The attacker didn’t need to break in.

They just needed to be invited.

And they were.

That’s the pattern.

It’s not about the malware. It’s about the permissions.

A GitHub token. An OAuth grant. A CI/CD webhook. A service account with "write" access to the npm registry. These aren’t "credentials." They’re keys to the kingdom. And they’re being sold like concert tickets on a shady forum.

Shai-Hulud Wasn’t a Bug — It Was a Feature

You remember Shai-Hulud?

The npm worm that spread like wildfire through GitHub repos. It stole secrets. It exfiltrated them to public repos. It created GitHub Actions workflows to turn your own machines into botnet nodes.

It didn’t exploit a vulnerability.

It exploited a practice.

Developers use npm. They trust it. They run npm install without checking who published the package. They assume the maintainer is legit. They assume the build script is safe.

And then? They get owned.

Unit 42 found that Shai-Hulud didn’t just steal credentials — it automated the theft. It used the stolen npm token to log in as the developer. Then it scanned their other packages. Found the ones with the least security. Injected the payload. Published a new version. And the cycle repeated.

No human touched it after the first commit.

It was self-replicating. Self-sustaining. And it didn’t care if you were a startup or a Fortune 500.

It didn’t need to.

Because the system was already broken.

TeamPCP and the Silent Leak

Then there’s TeamPCP.

They weren’t breaking into systems. They were buying access to leaked vendor data. Sportradar. Mistral AI. Internal repos. Database passwords. Kafka credentials.

Why?

Because those weren’t just secrets.

They were maps.

A single leaked config file can show you how a vendor connects to their customers. Which APIs they trust. Which services are exposed. Which teams are using outdated libraries.

TeamPCP didn’t need to hack the customer.

They just needed to hack the vendor.

And then wait.

Because the customer? They’ll update their software. They’ll deploy the patch. They’ll think they’re safe.

But the attacker? They’ve already mapped the attack path.

They know where the weak link is.

They just need to wait for the right moment.

The AI Tool That Became a Backdoor

And then there’s LiteLLM.

A simple AI gateway. Used by developers to route requests between LLMs. Easy. Lightweight. Popular.

Then someone published a malicious PyPI package. It looked like an update. It had the right version number. The right author name.

It didn’t steal data.

It stole trust.

Because once you install it, your CI/CD pipeline starts using it. Your build server starts trusting it. Your deployment scripts start calling it.

And now? The attacker has a backdoor into your entire development stack.

This isn’t a supply-chain attack.

It’s a trust-chain attack.

And the worst part?

You didn’t even know you were trusting it.

What You’re Missing — And Why You’re Not Looking

You’re looking for malware.

You’re looking for ransomware.

You’re looking for phishing.

You’re scanning your code for vulnerabilities.

You’re monitoring your endpoints.

But you’re not watching the dark web.

You’re not watching the forums.

You’re not watching the GitHub access sales.

You’re not watching the npm packages that were published by a maintainer who hasn’t logged in since 2022.

And that’s the problem.

The attackers aren’t trying to break your firewall.

They’re trying to make you ignore the signs.

Because if you’re not looking for the access — you’ll never see the breach coming.

So What Do You Do?

Stop waiting for the breach.

Start watching the access.

Here’s how:

  1. Monitor GitHub access sales. If you see someone selling a GitHub token for under $200, that’s not a scam. That’s a threat.
  2. Track OAuth tokens. If a third-party tool has access to your GitHub org, audit it. Every 90 days. No exceptions.
  3. Audit your npm packages. Who published them? When was the last time they pushed a commit? Do they have 2FA enabled? If not, remove them.
  4. Watch your CI/CD pipelines. Who can trigger a deploy? What secrets are injected? Are you using pinned versions? Or are you just running npm install and hoping?
  5. Assume your devs are compromised. Not because they’re careless. Because the tools they use are. And the tools they use are being weaponized.

This isn’t about better tools.

It’s about better questions.

Not: "Did we get breached?"

But: "Did we give someone the keys?"

And if the answer is yes?

You’re not safe.

You’re just waiting.

The Dark Web Isn’t Where the Breach Happens — It’s

More blogs