{"slug": "hackers-have-stopped-breaking-in-theyre-abusing-the-things-developers-already", "title": "Hackers have stopped breaking in. They’re abusing the things developers already trust.", "summary": "Hackers are increasingly exploiting trusted developer tools rather than breaking into systems, with two major campaigns this week highlighting the trend. TeamPCP injected malicious code into over 1,000 open-source packages, while attackers abused Anthropic's Claude AI chat feature to trick macOS developers into running commands. The attacks underscore a shift toward abusing trust in package registries, AI coding agents, and familiar domains, posing a significant challenge for the industry.", "body_md": "Hackers are not really breaking in any more. They are walking through doors we hold open for them.\n\nThis past week made the shift plain. Two campaigns showed that the things developers trust most, open-source code and AI tools, have become the easiest way to attack them.\n\n## 1,000 poisoned packages\n\nThe first is a group called TeamPCP. In under four months, it has injected malicious code into more than 1,000 open-source software packages, according to CyberScoop. It started with a single tool in February and has barely slowed since.\n\nThe method is not clever, and that is the point. Most companies pull in code automatically and rarely check that it is safe. TeamPCP simply abuses that blind faith. Together, the poisoned packages rack up roughly 500 million downloads a week.\n\nThe named victims are a who’s-who: Bitwarden, Red Hat, SAP, PyTorch Lightning, even GitHub itself. Yet the group does not seem to be chasing money. Researchers say it is after chaos and notoriety, having pocketed only about $90,000 in extortion. One security firm now estimates a roughly 1-in-10 chance that any package an organisation installs could trigger an active attack.\n\n## AI makes it worse\n\nAI is pouring fuel on this. Developers used to vet their dependencies, however loosely. Now coding agents install packages on their own, often with no human checking. “There’s in some cases virtually no human in the loop,” Socket’s Feross Aboukhadijeh told CyberScoop.\n\nThose same agents are targets, too. Researchers have shown that [a fake bug report can hijack an AI coding agent](https://thenextweb.com/news/agentjacking-ai-coding-agents-sentry) and make it run an attacker’s commands. Self-spreading worms are already [tearing through code registries](https://thenextweb.com/news/miasma-worm-microsoft-github-supply-chain), and a poisoned editor extension recently [let attackers steal thousands of GitHub repositories](https://thenextweb.com/news/github-confirms-hackers-stole-thousands-of-internal-code-repositories-after-employee-installed-a-poisoned-vs-code-extension).\n\n## Even Claude became a weapon\n\nThe second campaign is sneakier. Hackers turned Anthropic’s Claude against its own users. They abused “Shared Chats”, a feature that lets people post public links to past conversations.\n\nHere is how it worked. The attackers staged fake “Apple Support” chats on claude.ai, telling macOS developers to paste a command into their Terminal. Then they bought Google ads for searches like “Claude Code on Mac” to send victims there. Because the links sat on Claude’s own trusted domain, they looked safe.\n\nTrend Micro counted more than 2,000 victims, most in the Asia-Pacific region. Anthropic has since banned the accounts and disabled the conversations.\n\n## Why it matters\n\nThe thread tying these together is trust. Attackers no longer need a clever exploit. They just need something you already believe in: a package registry, a coding agent, a familiar domain. As one industry bulletin put it, “legitimate” is not the same as “safe”.\n\nFor the industry, that is an uncomfortable reset. It means watching the tools people trust, not just the files they download. It means treating a package install like running code, and an AI agent like a user account. The web did not break this week. It just got used exactly as designed, which may be the harder problem to fix.\n\n## Get the TNW newsletter\n\nGet the most important tech news in your inbox each week.", "url": "https://wpnews.pro/news/hackers-have-stopped-breaking-in-theyre-abusing-the-things-developers-already", "canonical_source": "https://thenextweb.com/news/teampcp-claude-shared-chats-ai-supply-chain-attacks-trust", "published_at": "2026-06-19 16:46:46+00:00", "updated_at": "2026-06-19 18:10:59.411489+00:00", "lang": "en", "topics": ["ai-safety", "ai-tools"], "entities": ["TeamPCP", "Bitwarden", "Red Hat", "SAP", "PyTorch Lightning", "GitHub", "Anthropic", "Claude"], "alternates": {"html": "https://wpnews.pro/news/hackers-have-stopped-breaking-in-theyre-abusing-the-things-developers-already", "markdown": "https://wpnews.pro/news/hackers-have-stopped-breaking-in-theyre-abusing-the-things-developers-already.md", "text": "https://wpnews.pro/news/hackers-have-stopped-breaking-in-theyre-abusing-the-things-developers-already.txt", "jsonld": "https://wpnews.pro/news/hackers-have-stopped-breaking-in-theyre-abusing-the-things-developers-already.jsonld"}}