WHAT WE KNOW SO FAR: Hackers have reportedly used a malicious Visual Studio Code extension to gain access to a GitHub developer's machine, then leveraged the stolen credentials to move into GitHub's own infrastructure and copy thousands of internal repositories. From there, they allegedly put parts of the stolen code up for sale on a cybercrime forum, turning what appeared to be a routine developer tool into the starting point of a wider supply chain incident.
GitHub has said it found about 3,800 internal repositories accessed in the breach and stressed that these contained its own code rather than customer projects. The attackers, a group calling itself TeamPCP, claim the number is closer to 4,000 and are actively attempting to sell the stolen data.
"We are here today to advertise GitHub's source code and internal orgs for sale," the group wrote on BreachForums. "Everything for the main platform is there, and I am very happy to send samples to interested buyers to verify authenticity."
For security teams, the GitHub case is just the most visible example of a campaign that has been developing for months. TeamPCP has been heavily focused on software supply chain attacks, seeding malicious code into open-source projects that other developers rely on.
