The TeamPCP attacks have triggered widespread incident response efforts across the industry, evolving in just six days from a compromised GitHub Action in the Trivy repository into a multi-vector supply chain campaign impacting npm packages, Python libraries, container images, IDE extensions, and CI/CD pipelines across thousands of organizations, all from a single stolen token. The blast radius continues to grow, with impacts spanning LiteLLM (3.6M daily downloads), over 60 npm packages via the CanisterWorm, Checkmarx’s KICS GitHub Actions, and dozens of defaced repositories, alongside the discovery of a targeted wiper component.

This isn’t an isolated event but part of a broader evolution in supply chain attacks, from SolarWinds to Codecov to today, each becoming faster, more automated, and harder to contain. As a vendor operating in this ecosystem, Endor Labs is actively assessing exposure and reinforcing its own defenses, and this guide shares a practical, real-world framework for responding to such incidents across investigation, remediation, and prevention.