GitHub internal repositories exfiltrated via malicious VS Code extension
The breach has been claimed by the TeamPCP hacking group, which said it is offering the data for sale
GitHub has confirmed that around 3,800 internal repositories have been breached, after a developer unwittingly installed a malicious VS Code extension.
The Microsoft-owned code repository and DevOps platform said the breach was detected on Monday, but that the activity involved exfiltration of GitHub-internal repositories only.
"We have no evidence of impact to customer information stored outside of GitHub's internal repositories, such as our customers' own enterprises, organizations, and repositories," said the firm's chief information security officer, Alexis Wales.
"Some of GitHub's internal repositories contain information from customers, for example, excerpts of support interactions. If any impact is discovered, we will notify customers via established incident response and notification channels."
GitHub said it started rotating critical secrets as soon as it discovered the breach, with the highest-impact credentials prioritized first. It is now analyzing logs, validating secret rotation, and monitoring its infrastructure for any follow-on activity, it said, promising a fuller report once it's finished its investigation.
GitHub hasn't explicitly named the attacker, but made reference to a claim by the TeamPCP hacker group that it had accessed around 3,800 repositories, saying that the number was consistent with its investigation so far.
TeamPCP, which first appeared late last year, is the group linked to the Mini Shai-Hulud worm, and carries out supply chain attacks by stealing CI/CD credentials and using them to publish infected versions of further packages.
The group has reportedly not asked for a ransom for the GitHub data, but is offering the stolen data for sale for $50,000, saying that if it doesn't receive an offer, it will leak it for free.
"This is another reminder that developers are now permanent targets in software supply chain attacks. TeamPCP has shown how a motivated attacker can move through the tools developers trust every day – open source packages, extensions, accounts, and credentials – rather than trying to break in through the front door," said Ilkka Turunen, Field CTO at Sonatype.
"Combined with the acceleration we're already seeing from AI-assisted vulnerability discovery, the window between compromise and exploitation is collapsing. The old assumption was that defenders would have time to identify, prioritize, and respond. That margin is disappearing."
The news came just a day after the Nx Console VS Code extension, which has 2.2 million installs, was briefly backdoored, with the malicious version collecting credentials silently when a developer opened a workspace. The issue was handled swiftly, with the extension pulled within 18 minutes on the VS Code Marketplace and 36 minutes on Open VSX.
"The community's ability to catch and remove malicious packages is real. For extensions with millions of installs, it's also insufficient," commented Shaun Brown technical product marketer at Aikido Security.
"Caught in 18 minutes and prevented exposure are not the same thing. Minimum package and extension ages are the best way to protect your devices from similar attacks today."
-
Wasabi ramps up EMEA channel push with focus on cyber resilienceNews The cloud storage vendor is expanding partner tools and integrations as AI-driven data growth and ransomware threats continue to rise
-
AI forces bigger software players to adapt pricing to competeIndustry Insights Software companies adding AI capabilities will need to upgrade monetization stacks designed for subscriptions rather than usage-based billing
-
Millions of developers could be impacted by flaws in Visual Studio Code extensions – here's what you need to know and how to protect yourselfNews The VS Code vulnerabilities highlight broader IDE security risks, said OX Security
-
Small businesses can't get cyber strategies up and running – here's whyNews SMBs are turning to outside help to shore up security as internal strategies fall flat
-
Using AI to code? Watch your security debtnews Black Duck research shows faster development may be causing risks for companies
-
Organizations warned of "significant lag" in deepfake protection investmentnews Defenses are failing to keep up with the rapidly growing attack vector, with most organizations being overconfident
-
Teens arrested over nursery chain Kido hacknews The ransom attack caused widespread shock when the hackers published children's personal data
-
Middlesbrough Council boosts cybersecurity spending, strategy in response to repeated cyberattacksNews Councils across the UK have publicly struggled with maintaining services in the face of major cyber disruption
-
Foreign states ramp up cyberattacks on EU with AI-driven phishing and DDoS campaignsNews ENISA warns of hacktivism, especially through DDoS attacks
-
Cybersecurity leaders must stop seeing resilience as a "tick box exercise" to achieve meaningful protection, says Gartner expertNews Collaboration between departments and a better understanding of organizational metrics are key to addressing security blindspots
