- GitHub confirms that an employee’s compromised device caused internal repositories to be leaked via a poisoned VSCode extension
- TeamPCP threat actors are selling an archive of approximately 4,000 repositories on the dark web, asking for $50,000 with shared samples as proof.
- The group is also behind recent attacks on the npm supply chain, highlighting its ongoing campaign against developer ecosystems.
GitHub, one of the largest open source code repositories in the world, has confirmed that it was affected by a cyberattack in which its confidential data was stolen.
In a brief announcement on X, GitHub said that one of its employees had his device compromised when he downloaded a poisoned VSCode extension.
The company removed the malware, isolated the endpoint, and launched an investigation that determined the attacker had exfiltrated some sensitive data.
TeamPCP takes the blame
“Our current assessment is that the activity involved the exfiltration of internal GitHub repositories only,” Github said. “The attacker’s current claims of ~3,800 repositories are directionally consistent with our investigation thus far.”
In response, GitHub rotated critical secrets and continues to analyze logs, validate secret rotation, and monitor trace activity. “We will take additional measures as the investigation requires,” he concluded.
Threat actors known as TeamPCP are reportedly offering an archive of approximately 4,000 repositories for sale on the dark web, with CyberInsider claiming that the group is asking for $50,000 in exchange for the file, but apparently no ransom note was left.
“There are a total of around ~4,000 private code repositories here,” the criminals allegedly said. They also shared samples to prove the authenticity of their claims. If no one buys the stash soon, the attackers said they would leak it to the dark web for free.
Besides ShinyHunters, TeamPCP is currently one of the most active groups out there. It is responsible for the Shai-Hulud and Mini Shai-Hulud campaigns, in which they compromised countless GitHub and npm repositories, and used them to deliver malware to possibly thousands of projects.
It recently published more than 600 malicious packages to the npm registry, targeting more than 300 unique packages. By stealing login credentials and access tokens, bad actors access and update legitimate packages to push data-stealing malware, hijack credentials, and compromise CI/CD environments.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
