GitHub confirms breach — thousands of internal repositories hit after employee installs malicious VS Code extension

News
By published

TeamPCP continues its attack on open source projects

GitHub Webpage
(Image credit: Gil C / Shutterstock)
  • GitHub confirms an employee’s compromised device led to exfiltration of internal repositories via a poisoned VSCode extension
  • Threat actors TeamPCP are selling an archive of roughly 4,000 repos on the dark web, asking $50,000 with samples shared for proof
  • The group is also behind recent npm supply‑chain attacks, highlighting its ongoing campaign against developer ecosystems

GitHub, one of the biggest open source code repositories in the world, has confirmed being hit by a cyberattack which saw its sensitive data stolen.

In a short announcement on X, GitHub saidone of its employees had their device compromised when they downloaded a poisoned VSCode extension.

The company removed the malware, isolated the endpoint, and started an investigation, which determined the attacker exfiltrated some sensitive data.

Latest Videos From

TeamPCP takes the blame

“Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only,” Github noted. “The attacker’s current claims of ~3,800 repositories are directionally consistent with our investigation so far.”

In response, GitHub rotated critical secrets and continues to analyze logs, validate secret rotation, and monitor follow-on activity. “We will take additional action as the investigation warrants,” it concluded.

An archive of roughly 4,000 repositories is reportedly being offered for sale on the dark web, by threat actors known as TeamPCP, with CyberInsider claiming the group is asking for $50,000 in exchange for the archive, but apparently, no ransom note was left.

“There is a total of around ~4,000 repos of private code here,” the crooks allegedly said. They also shared samples, to prove the authenticity of their claims. If no one buys the stash soon, the attackers said they would leak it to the dark web for free.

Besides ShinyHunters, TeamPCP is currently one of the most active groups out there. It is responsible for Shai-Hulud and Mini Shai-Hulud campaigns, in which they compromised countless GitHub and npm repositories, and used them to push malware to possibly thousands of projects.

It recently published more than 600 malicious packages to the npm registry, targeting more than 300 unique packages. By stealing login credentials and access tokens, the miscreants access legitimate packages and update them to push infostealer malware, grabbing credentials, and compromising CI/CD environments.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.