GitHub internal repo breach — 3,800 repos accessed, supply chain risk unresolved
TL;DR
GitHub confirms ~3,800 internal repos were accessed by attackers. Hacker group TeamPCP listed source code for $50K+. Entry path: a poisoned VS Code extension (likely Nx Console v18.95.0) on an employee machine.
GitHub confirmed ~3,800 internal code repositories were accessed without authorization. Hacker group TeamPCP is offering GitHub source code and internal org data on underground forums, asking $50K+.
Entry path: an employee installed a poisoned VS Code extension (suspected to be Nx Console v18.95.0), letting the attacker steal credentials and pivot into internal repos. The extension was up on the official Marketplace for ~11 minutes before takedown — but the infection already happened. GitHub has removed the malicious extension, isolated infected endpoints, and rotated critical keys.
Why this isn't just GitHub's problem. GitHub internal repos may contain platform infrastructure config, CI/CD logic, deployment scripts, signing keys. If exploited, attackers could theoretically affect Actions, Packages, and the whole Marketplace at a deeper level. TeamPCP's typical method is supply chain — they previously breached Trivy, then chain-poisoned Docker images, PyPI, and npm packages, hitting tens of thousands of devices. GitHub is an even more upstream target — the potential blast radius is larger.
Critical info still unpublished: exact incident timing, full intrusion path, affected repo list, whether production keys were involved — these unknowns determine the eventual impact.
Immediate developer recommendations: audit your VS Code extensions, rotate GitHub Tokens and CI/CD keys, check private repos for hardcoded credentials.
via BleepingComputer
Entry path: an employee installed a poisoned VS Code extension (suspected to be Nx Console v18.95.0), letting the attacker steal credentials and pivot into internal repos. The extension was up on the official Marketplace for ~11 minutes before takedown — but the infection already happened. GitHub has removed the malicious extension, isolated infected endpoints, and rotated critical keys.
Why this isn't just GitHub's problem. GitHub internal repos may contain platform infrastructure config, CI/CD logic, deployment scripts, signing keys. If exploited, attackers could theoretically affect Actions, Packages, and the whole Marketplace at a deeper level. TeamPCP's typical method is supply chain — they previously breached Trivy, then chain-poisoned Docker images, PyPI, and npm packages, hitting tens of thousands of devices. GitHub is an even more upstream target — the potential blast radius is larger.
Critical info still unpublished: exact incident timing, full intrusion path, affected repo list, whether production keys were involved — these unknowns determine the eventual impact.
Immediate developer recommendations: audit your VS Code extensions, rotate GitHub Tokens and CI/CD keys, check private repos for hardcoded credentials.
via BleepingComputer
