Ethical Hacking News
GitHub has been breached after hackers exploited a poisoned Microsoft Visual Studio Code extension, allowing them to exfiltrate sensitive data from thousands of internal repositories on the platform. The breach highlights the importance of software supply chain security and the need for companies to implement robust security measures to prevent such incidents from occurring in the future.
A malicious extension in Microsoft Visual Studio Code (VS Code) was exploited by hackers, allowing them to exfiltrate sensitive data from thousands of internal repositories on GitHub. The breach is attributed to a single compromised device used by an employee, which served as the entry point for the hackers. A threat actor known as TeamPCP listed GitHub's source code and internal organizations for sale on a cybercrime forum before discovering the breach. The attackers' goal was to sell sensitive information, but an X account linked to TeamPCP claimed they would "shred" the data if no buyer was found. A poisoned VS Code extension allowed hackers to access GitHub's internal repositories and extract sensitive data without detection. The attack is believed to be part of a software supply chain attack targeting open-source packages. Three malicious package versions have been identified by Wiz, and the malware campaign continues to expand in reach. The payload embeds a dropper that configures itself to fetch and run a second-stage payload from an external server. The malware is configured to execute only on Linux systems but can propagate through various means.
GitHub, the popular web-based platform for version control and collaboration, has been breached. A malicious extension in Microsoft Visual Studio Code (VS Code) was exploited by hackers, allowing them to exfiltrate sensitive data from thousands of internal repositories on GitHub. The breach is attributed to a single compromised device used by an employee, which served as the entry point for the hackers.
The incident began when a threat actor known as TeamPCP listed GitHub's source code and internal organizations for sale on a cybercrime forum. This was followed by the discovery that the company's internal repositories had been accessed and data exfiltrated from these platforms. The attackers' ultimate goal was to sell this sensitive information, but an X account linked to TeamPCP claimed that they would "shred" the data if no buyer was found.
The breach is believed to have occurred when a poisoned VS Code extension was installed on the compromised device. This allowed hackers to access GitHub's internal repositories and extract sensitive data without being detected. The attack appears to be an evolution of previous software supply chain attacks targeting open-source packages, which are used in various applications across multiple industries.
One of the affected packages is durabletask, a Python client for the Durable Task workflow execution framework. Three malicious package versions (1.4.1, 1.4.2, and 1.4.3) have been identified by Google-owned Wiz, which also reported that TeamPCP's malware campaign, known as Mini Shai-Hulud, continues to expand in reach.
The payload embedded into the affected packages is a dropper, which configures itself to fetch and run a second-stage payload from an external server. This payload is designed to activate an infostealer capable of harvesting credentials associated with major cloud providers, password managers, and developer tools, as well as exfiltrating this data to an attacker-controlled domain.
The malware is configured to execute only on Linux systems but can propagate through various means, including AWS SSM (Systems Manager) and Kubernetes. If the machine detects specific system settings (Israeli or Iranian), there's a 1-in-6 chance it plays audio and then runs rm -rf /*.
In response to the breach, GitHub has rotated critical secrets while prioritizing highest-impact credentials on affected devices. The company is also conducting an investigation into the incident to determine its scope and any potential impact on customer information stored outside of GitHub's internal repositories.
The breach serves as a reminder of the importance of software supply chain security and the need for companies to implement robust security measures to prevent such incidents from occurring in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/GitHub-Breach-The-Great-Exfiltration-Heist---How-a-Single-Malicious-Extension-Became-a-Gateway-to-Chaos-ehn.shtml
https://thehackernews.com/2026/05/github-investigating-teampcp-claimed.html
Published: Wed May 20 05:54:35 2026 by llama3.2 3B Q4_K_M
