ShadowLink Exposed: How Your Home Router Became a Puppet for Corporate Supply Chain Attacks

The compromise of a residential router may initially appear as a localized grievance, while the manipulation of code within GitHub Actions seems an entirely disparate narrative. However, the events of March 2026 have demonstrated that a singular, sinister thread can bind domestic networking hardware to corporate CI/CD pipelines. An investigative report by Ctrl-Alt-Intel concludes that the assault on Xygeni—previously regarded as an isolated incident—is inextricably linked to a broader campaign aimed at hijacking TP-Link and ASUS devices to orchestrate a clandestine proxy network.

While monitoring adversaries who transform breached edge devices into residential proxies, the investigative team discovered traces of the microsocks utility on consumer-grade TP-Link routers, operating in tandem with a command-and-control module dubbed ShadowLink. Forensic analysis revealed a startling convergence: the identical communication protocol, command sequence, and authentication secret utilized by ShadowLink were also found within the malicious component injected into a Xygeni GitHub Action on March 3.

According to Ctrl-Alt-Intel, the attackers exploited CVE-2024-21833 on TP-Link hardware to execute scripts that identified the device’s architecture, deployed a SOCKS5 proxy, and established persistence via cron, rc.local, and NVRAM. Disguised as legitimate system processes, these nodes allowed traffic to masquerade as domestic IP addresses, effectively bypassing geographic blocks, CAPTCHAs, and rate-limiting protocols. A lightweight variant of ShadowLink was also detected on ASUS devices, seemingly designed for reconnaissance to facilitate future deployments.

The correlation with the Xygeni breach is particularly noteworthy, as the malicious code within the GitHub Action mirrored this operational logic. In early March, the adversaries submitted fraudulent Pull Requests and subsequently redirected the v5 tag to a compromised commit. Upon execution, the Action transmitted telemetry to a command-and-control server, executed received instructions, and exfiltrated the results in a compressed, encoded format. To maintain a veneer of legitimacy, the attackers utilized a nip.io domain to avoid the suspicion associated with direct IP-based connections.

The report further compares these findings to the activities of TeamPCP, a threat actor previously associated with the March incidents involving Trivy and Checkmarx. While definitive technical evidence linking their infrastructures remains elusive, the chronological overlap, choice of targets, and fascination with proxy networks are remarkably aligned.

Ctrl-Alt-Intel refrains from absolute attribution but maintains a firm conviction: the operator architecting the residential proxy network atop TP-Link and ASUS hardware was the same architect behind the Xygeni compromise. The remaining ambiguity lies in whether this actor is indeed TeamPCP, an affiliated entity, or a distinct player who has masterfully adopted these sophisticated methodologies.