TeamPCP breaches GitHub, exfiltrates about 3,800 repos

GitHub is investigating unauthorized access after an actor identifying itself as TeamPCP posted an offer to sell the platform’s source code and internal organizations, seeking at least $50,000. The company reported it found a compromised employee device infected by a poisoned Visual Studio Code extension and has rotated critical secrets while prioritizing highest-impact credentials.

The actor’s post included a claim that the files were for sale to a single buyer, with a promise to delete its copy after a sale; it said it would leak the material publicly if no buyer was found. An account linked to TeamPCP later posted on X accusing GitHub of delaying disclosure and withholding information.

GitHub’s current assessment is that the activity involved exfiltration of internal repositories only, and the company has not found evidence of impact to customer information stored outside those repositories. GitHub did not disclose the name of the compromised extension. The company reported that it detected and contained the device compromise and is monitoring its systems for follow-on activity. It will notify affected customers through established incident response channels if further impact is identified.

The incident fits a pattern of supply-chain attacks that target developer tools and extensions. Security researchers have documented similar compromises of Visual Studio Code extensions that allowed attackers to install multi-stage credential stealers and other malware, then use stolen tokens to move through package repositories and publishing systems.

The activity is linked to a campaign known as Mini Shai-Hulud. Researchers identified three malicious versions of the durabletask Python package-1.4.1, 1.4.2 and 1.4.3-that contained a dropper configured to fetch a second-stage payload from an external server. Analysts report the attacker obtained a PyPI publishing token after compromising a GitHub account and dumping repository secrets, then used that token to publish the malicious packages.

The embedded payload functions as an infostealer and worm that targets developer and cloud credentials. It attempts to harvest credentials for major cloud providers, read secrets from HashiCorp Vault, and export password vaults from tools such as 1Password and Bitwarden, along with SSH keys, Docker credentials, VPN configurations and shell history. The code is configured to run on Linux systems and to propagate by abusing stolen tokens: within AWS it uses SSM to execute on other EC2 instances, and within Kubernetes it spreads via kubectl exec. Researchers also described a fallback that searches public GitHub commit messages for encoded command-and-control addresses if the primary domain is unreachable.

Security researchers warned that any machine or continuous-integration pipeline that imported an affected package version should be treated as fully compromised. One researcher estimated the malicious package was being downloaded hundreds of thousands of times per month and noted the payload executes automatically when the package is imported.

GitHub has taken containment steps and continues its investigation into the scope of access and potential downstream impact. The company has communicated its assessment and mitigation actions to incident response channels while monitoring for further activity.