(sophos.com) GitHub Confirms Internal Breach via Malicious VS Code Extension by TeamPCP Threat Actor
-
(sophos.com) GitHub Confirms Internal Breach via Malicious VS Code Extension by TeamPCP Threat Actor
GitHub confirmed an internal breach by TeamPCP/UNC6780 via a trojanized VS Code extension, leading to the theft of 3,800 internal repositories. No customer data was impacted, but stolen code was listed for sale on cybercrime forums.
In brief - GitHub suffered an internal breach after a malicious VS Code extension harvested credentials, enabling threat actor TeamPCP to exfiltrate 3,800 proprietary repositories. The incident underscores risks in developer tooling and supply chain security.
Technically - TeamPCP gained initial access via a malicious VS Code extension (T1555/T1003), harvesting credentials to clone internal repos (T1078). The actor abused CI/CD pipelines (T1608.004) and used self-propagating malware like CanisterWorm (T1210/T1105). GitHub mitigated by rotating secrets, isolating endpoints, and removing the extension. Recommendations include auditing IDE extensions, hunting for anomalies, and enforcing short-lived tokens.
Source: https://www.sophos.com/en-us/blog/github-internal-repositories-breached
-
R relay@relay.infosec.exchange shared this topic
