- GitHub confirms that an employee’s compromised device led to the exfiltration of internal repositories via a poisoned VSCode extension
- Threat actors TeamPCP are selling an archive of around 4,000 repos on the dark web, asking $50,000 with samples shared for proof
- The group is also behind the latest npm supply chain attacks, highlighting its ongoing campaign against developer ecosystems
GitHub, one of the largest open source code repositories in the world, has confirmed that it was hit by a cyber attack in which sensitive data was stolen.
In a brief announcement on X, GitHub said that one of its employees had their device compromised when they downloaded a poisoned VSCode extension.
The company removed the malware, isolated the endpoint and started an investigation, which determined that the attacker exfiltrated some sensitive data.
TeamPCP takes the blame
“Our current assessment is that the activity only involved exfiltrating GitHub internal repositories,” Github noted. “The attacker’s current claims of ~3,800 repositories are directionally consistent with our investigation so far.”
In response, GitHub rotated critical secrets and continues to analyze logs, validate secret rotation, and monitor follow-up activity. “We will take further action as the investigation warrants,” it concluded.
An archive of around 4,000 repositories is reportedly being offered for sale on the dark web by threat actors known as TeamPCP, with CyberInsider claims the group is asking for $50,000 in exchange for the archive, but apparently no ransom note was left.
“There’s a total of ~4,000 repositories of private code here,” the crooks allegedly said. They also shared samples to prove the authenticity of their claims. If no one buys the cache soon, the attackers said they would leak it to the dark web for free.
Besides ShinyHunters, TeamPCP is currently one of the most active groups out there. It is responsible for the Shai-Hulud and Mini Shai-Hulud campaigns, where they compromised countless GitHub and npm repositories and used them to push malware to possibly thousands of projects.
It recently published more than 600 malicious packages to the npm registry, targeting more than 300 unique packages. By stealing login credentials and access tokens, the criminals gain access to legitimate packages and update them to push infostealer malware, grab credentials, and compromise CI/CD environments.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
