A malicious Visual Studio Code extension helped attackers gain access to a GitHub developer’s machine before they moved deeper into GitHub’s internal systems, copied thousands of repositories, and later listed the stolen code for sale on a cybercrime forum. What first appeared to be an issue tied to a developer tool has since widened into a larger software supply chain breach.
GitHub confirmed that around 3,800 internal repositories were accessed, noting that the exposed code belongs to the company and not to customer projects. The group calling itself TeamPCP claims the number is closer to 4,000 and is reportedly seeking a buyer for the stolen data.
“We are here today to advertise GitHub’s source code and internal orgs for sale,” the group wrote on BreachForums. “Everything for the main platform is there, and I am very happy to send samples to interested buyers to verify authenticity.”
To security teams, the GitHub breach looks like the biggest public example of something that has been happening for months. TeamPCP has spent much of its time targeting the software supply chain by slipping malicious code into open-source tools that developers already trust. According to Socket, the group has carried out around 20 attack campaigns and tampered with more than 500 packages and tools, spreading further whenever someone installs or uses them in a build.
The method is relatively simple but highly effective. TeamPCP typically compromises a widely used developer tool, such as a VS Code extension, data visualization package, or other trusted utility, so that malware runs when developers install or update it. Once active, the malicious code collects sensitive information, including personal access tokens, API keys, SSH keys, and cloud credentials.
The stolen credentials are then used to distribute compromised updates to additional tools, at times appearing to come from legitimate maintainers. As more developers install the infected packages, the campaign continues to spread.
“It’s a flywheel of supply chain compromises,” Ben Read, who leads strategic threat intelligence at Wiz, told Wired. “It’s self-perpetuating, and it’s been a hugely successful way to get access to networks and steal stuff.”
TeamPCP has recently accelerated its activity by automating significant parts of the operation. Researchers have identified a worm component known as Mini Shai-Hulud, which is capable of self-propagation after deployment. The malware creates GitHub repositories to store encrypted stolen credentials and marks them with the phrase “A Mini Shai-Hulud Has Appeared,” alongside references to the Dune universe. The naming appears to reference an earlier supply chain worm called Shai-Hulud, although there is no clear evidence linking TeamPCP to that original variant.
The campaign has touched a wide range of targets, from AI companies and security vendors to developer tools and public institutions, including OpenAI, Mercor, Mistral AI, and the public website of the European Commission. What stands out is that the attackers did not rely on flashy zero-day bugs. Instead, they got in through everyday tools developers already trust, like scanners, libraries, and helper services.
TeamPCP is known for ransomware and data extortion activity, though the group has also shown a willingness to sell stolen information to outside buyers. In the GitHub case, it claimed the incident was not about demanding payment from GitHub directly, instead presenting the stolen code as a one-time sale. The group said it had little interest in extortion and suggested the data could eventually be leaked publicly if no buyer emerged.
Maybe you would like other interesting articles?