- GitHub confirms employee’s compromised device led to exfiltration of internal repositories via poisoned VSCode extension
- Threat actors TeamPCP are selling an archive of around 4,000 repositories on the dark web, asking for $50,000 with shared samples for proof.
- The group is also behind recent npm supply chain attacks, highlighting its ongoing campaign against developer ecosystems.
GitHub, one of the world’s largest open source code repositories, has confirmed that it was the victim of a cyberattack that resulted in the theft of its sensitive data.
In a brief announcement on X, GitHub said that one of its employees’ device was compromised when he downloaded a poisoned VSCode extension.
The company removed the malware, isolated the endpoint, and launched an investigation that determined the attacker had exfiltrated some sensitive data.
TeamPCP takes responsibility
“Our current assessment is that the activity only involved the exfiltration of GitHub’s internal repositories,” Github noted. “The attacker’s current claims regarding approximately 3,800 repositories are consistent with our investigation so far.”
In response, GitHub has rotated critical secrets and continues to analyze logs, validate secret rotation, and monitor follow-up activities. “We will take additional measures if the investigation warrants it,” he concludes.
An archive of around 4,000 repositories is allegedly offered for sale on the dark web, by malicious actors known as TeamPCP, with CyberInsider claiming the group is demanding $50,000 in exchange for the archives, but apparently no ransom note was left.
“There are a total of around 4,000 private code repositories here,” the scammers reportedly said. They also shared samples to prove the authenticity of their claims. If no one buys the stash soon, the attackers said they will leak it for free on the dark web.
Besides ShinyHunters, TeamPCP is one of the most active groups currently. He is responsible for the Shai-Hulud and Mini Shai-Hulud campaigns, in which they compromised countless GitHub and npm repositories, and used them to distribute malware to possibly thousands of projects.
It recently published over 600 malicious packages to the npm registry, targeting over 300 unique packages. By stealing login credentials and access tokens, attackers access and update legitimate packages to distribute infostealer malware, harvest credentials, and compromise CI/CD environments.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
