On May 20, GitHub confirmed that an employee’s device was compromised due to a poisoned VS Code extension, leading to attackers gaining access to approximately 3,800 internal repositories on the platform. The threat group responsible, TeamPCP (also known as UNC6780), has claimed responsibility for the breach and is offering the stolen repositories for sale, starting at $50,000. GitHub’s investigation aligns with the attacker’s claims, indicating a significant breach.
Multiple security firms, including Trend Micro, StepSecurity, and Snyk, have been tracking TeamPCP’s activities across various supply chain attacks since March. The GitHub breach was part of a series of incidents that occurred within a short timeframe, including the compromise of npm packages, VS Code extensions, and Microsoft’s Python SDK on PyPI.
GitHub confirmed the breach, identified the attack vector as a poisoned VS Code extension, and initiated incident response procedures. The attack, originating from a single employee device, exposed critical infrastructure configurations, deployment scripts, and internal API schemas. While source code access at this level is not considered a data breach, it represents a significant leak of infrastructure intelligence.
Security researchers have been closely monitoring TeamPCP’s activities, with each wave of attacks targeting different software components and platforms. The breach of GitHub’s internal repositories underscores the importance of securing developer tools and repositories against supply chain attacks.
The incident highlights the need for organizations to review their security practices, rotate critical credentials, and implement stringent security measures to prevent similar breaches in the future. The interconnected nature of the supply chain surfaces targeted by attackers emphasizes the importance of a comprehensive security strategy to protect against evolving threats.
