<![CDATA[(sophos.com) GitHub Confirms Internal Breach via Malicious VS Code Extension by TeamPCP Threat Actor]]>

<![CDATA[(sophos.com) GitHub Confirms Internal Breach via Malicious VS Code Extension by TeamPCP Threat Actor]]>(sophos.com) GitHub Confirms Internal Breach via Malicious VS Code Extension by TeamPCP Threat Actor

GitHub confirmed an internal breach by TeamPCP/UNC6780 via a trojanized VS Code extension, leading to the theft of 3,800 internal repositories. No customer data was impacted, but stolen code was listed for sale on cybercrime forums.

In brief - GitHub suffered an internal breach after a malicious VS Code extension harvested credentials, enabling threat actor TeamPCP to exfiltrate 3,800 proprietary repositories. The incident underscores risks in developer tooling and supply chain security.

Technically - TeamPCP gained initial access via a malicious VS Code extension (T1555/T1003), harvesting credentials to clone internal repos (T1078). The actor abused CI/CD pipelines (T1608.004) and used self-propagating malware like CanisterWorm (T1210/T1105). GitHub mitigated by rotating secrets, isolating endpoints, and removing the extension. Recommendations include auditing IDE extensions, hunting for anomalies, and enforcing short-lived tokens.

Source: https://www.sophos.com/en-us/blog/github-internal-repositories-breached

#Cybersecurity #ThreatIntel

]]>https://board.circlewithadot.net/topic/8632dea2-740e-4dde-aded-213179eb08bc/sophos.com-github-confirms-internal-breach-via-malicious-vs-code-extension-by-teampcp-threat-actorRSS for NodeMon, 25 May 2026 08:07:34 GMTThu, 21 May 2026 14:02:35 GMT60