GitHub is investigating a security breach after the threat actor TeamPCP compromised an employee device via a malicious Visual Studio Code extension to exfiltrate internal platform repositories.

Key Points

• Threat actor TeamPCP and the LAPSUS$ group are attempting to sell approximately 4,000 stolen GitHub internal repositories for $95,000.
• The breach originated from a compromised employee device infected by a poisoned Microsoft Visual Studio Code extension.
• GitHub has rotated critical credentials and confirmed the exfiltration was limited to internal repositories, with no evidence of customer data impact.
• TeamPCP is simultaneously conducting a supply chain attack by injecting malicious code into the "durabletask" Python package on PyPI.
• The malware, known as Mini Shai-Hulud, functions as an infostealer that targets cloud credentials, password managers, and SSH keys on Linux systems.

Why it Matters

This incident highlights the severe risks posed by software supply chain attacks, where compromised developer tools and packages can lead to large-scale internal data breaches. The ability of the malware to propagate through cloud environments like AWS and Kubernetes underscores the critical need for robust credential management and rigorous security vetting of third-party extensions.