- GitHub confirms an employee’s compromised device led to exfiltration of internal repositories via a poisoned VSCode extension
- Threat actors TeamPCP are selling an archive of roughly 4,000 repos on the dark web, asking $50,000 with samples shared for proof
- The group is also behind recent npm supply‑chain attacks, highlighting its ongoing campaign against developer ecosystems
GitHub, one of the biggest open source code repositories in the world, has confirmed being hit by a cyberattack which saw its sensitive data stolen.
In a short announcement on X, GitHub saidone of its employees had their device compromised when they downloaded a poisoned VSCode extension.
The company removed the malware, isolated the endpoint, and started an investigation, which determined the attacker exfiltrated some sensitive data.
TeamPCP takes the blame
“Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only,” Github noted. “The attacker’s current claims of ~3,800 repositories are directionally consistent with our investigation so far.”
In response, GitHub rotated critical secrets and continues to analyze logs, validate secret rotation, and monitor follow-on activity. “We will take additional action as the investigation warrants,” it concluded.
An archive of roughly 4,000 repositories is reportedly being offered for sale on the dark web, by threat actors known as TeamPCP, with CyberInsider claiming the group is asking for $50,000 in exchange for the archive, but apparently, no ransom note was left.
“There is a total of around ~4,000 repos of private code here,” the crooks allegedly said. They also shared samples, to prove the authenticity of their claims. If no one buys the stash soon, the attackers said they would leak it to the dark web for free.
Besides ShinyHunters, TeamPCP is currently one of the most active groups out there. It is responsible for Shai-Hulud and Mini Shai-Hulud campaigns, in which they compromised countless GitHub and npm repositories, and used them to push malware to possibly thousands of projects.
It recently published more than 600 malicious packages to the npm registry, targeting more than 300 unique packages. By stealing login credentials and access tokens, the miscreants access legitimate packages and update them to push infostealer malware, grabbing credentials, and compromising CI/CD environments.
