Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
What is called software Supply chain attackthe way hackers destroy legitimate software to hide their malicious code, was once uncommon but has plagued the world of cyber security with the stealthy threat of turning any innocent software into a dangerous place on the victim’s Internet. Now one group of cyber criminals has turned these occasional horrors into weekly events, destroying hundreds of open-source devices, extorting victims for profit, and sowing a new level of distrust in the entire world of programming.
On Tuesday night, the open source platform GitHub announced that it was breached by hackers in such an attack: The developer of GitHub installed a “poisonous” extension of VSCode, a plug-in for the editor of widely used code which, like GitHub itself, belongs to Microsoft. As a result, the hackers who breached the law, an increasingly popular group known as TeamPCP, have reportedly accessed nearly 4,000 GitHub repositories. GitHub’s statement confirmed that it had found at least 3,800 repositories when it determined that, based on what it had found so far, they all contained GitHub’s code, not the customer’s.
“We are here today to promote GitHub sources and internal vendor orgs,” TeamPCP posted on BreachForums, a forum and marketplace for cybercriminals. “Everything for the main platform is available and I am happy to send samples to interested buyers to confirm the authenticity.”
The GitHub breach is the latest in a long-running, never-ending series of software attacks. According to the cybersecurity company Socket, which focuses on software chains, TeamPCP, in the past few months, has carried out 20 “waves” of attacks that have hidden malware in more than 500 programs, or more than a thousand to count all the different types of code that TeamPCP has stolen.
The malware allowed the TeamPCP hackers to breach hundreds of companies that installed the software, said Ben Read, who heads threat intelligence at cloud security firm Wiz. GitHub is the latest in a long list of victims, which has also included AI firm Anthropic and data processing company Mercor. “It could be pretty big,” Read says of the GitHub breach. “But each of these is a very serious business for the industry as it happens. It’s no different than the 14 breaches that happened last week.”
TeamPCP’s main strategy has been as a circular exploit for developers: Hackers gain access to the network while an open-source tool used by coders is being developed – for example, the VSCode extension that led to the GitHub crash or the AntV data visualization program that TeamPCP hacked earlier this week. The hackers plant the malware in a tool that ends up on other software developers’ machines, including some coding tools used by coders.
The malware allows TeamPCP hackers to steal information that allows them to spread malicious versions of that software development tools, too. The cycle repeats, and TeamPCP’s collection of compromised networks grows. “It’s the flexibility of the supply chain,” says Read. “This just keeps happening, and it’s become a very successful way to access networks and steal things.”
Recently, the group appears to have outsourced most of its software to a self-propagating worm known as Mini Shai-Hulud. The name comes from a GitHub repository that the worm creates that includes confidential information stolen from its victims, which includes the words “Mini Shai-Hulud Appears” along with several other sci-fi text. Dune. That message seems to be more than just saying Dunesandworms but similar A supply chain compromise worm called Shai-Hulud appeared in Septemberalthough there is no evidence that TeamPCP was behind the previously self-published malware.
