In a nutshell: GitHub was compromised through an infected IDE extension and lost approximately 3,800 internal repositories. The hacker group TeamPCP is offering the data for sale. At the same time, Microsoft Python packages were infected with malware that serves as a dropper for additional malicious software.
GitHub confirms unauthorized access to internal repositories following source code theft by the hacker group TeamPCP. The group offered the stolen data for sale for at least $50,000 and threatened to publish it.
GitHub announced on Tuesday that it is investigating unauthorized access to its internal repositories after the notorious hacker group TeamPCP offered source code and internal structures for sale on a cybercrime forum. The Microsoft-owned company emphasizes that it currently has no indication of any compromise of customer data outside its own repository systems and promises to inform customers immediately should new findings emerge.
According to findings, the security breach was triggered by an infected Microsoft Visual Studio Code extension that was installed on an employee device. Through this, the attackers gained access to approximately 3,800 GitHub internal repositories. The company subsequently renewed all critical credentials and prioritized the highest priorities.
TeamPCP is a criminal group known for a series of attacks on open-source packages. In a message, the group claimed this was not an extortion attempt: “We have no interest in extorting GitHub. If we find a buyer, we delete the data; otherwise we publish it for free.”
Furthermore, the same hacker group compromised Microsoft’s Python package “durabletask.” Three manipulated versions (1.4.1, 1.4.2, and 1.4.3) were identified. The malware is an evolution of previous attacks and serves as a so-called dropper that downloads and executes additional malicious software from external servers.