GitHub is investigating an incident involving unauthorized access to its internal repositories after a hacking group called TeamPCP put the service’s source code up for sale for $50,000. The attackers claim to have gained access to about 4,000 of the company’s internal repositories.
GitHub is investigating an incident involving unauthorized access to its internal repositories after a hacking group called TeamPCP put the service’s source code up for sale for $50,000. The attackers claim to have gained access to about 4,000 of the company’s internal repositories.
As Hacker News reports, citing GitHub, there is currently no evidence that the incident affected customer data stored outside of the platform’s internal repositories. However, the company is actively monitoring its infrastructure and has already begun revoking compromised credentials.
The leak was caused by a hacked employee’s computer using a malicious extension for the Microsoft Visual Studio Code development environment. While GitHub has not officially named the extension, experts have linked the incident to the recent Nx Console compromise, where attackers implemented a tool to steal developer credentials.
«Our current assessment is that this activity involved the leakage of only internal GitHub repositories. The attacker’s current claims of approximately 3,800 repositories in total are consistent with our investigation,» GitHub said.
The TeamPCP hackers themselves stated on a cybercrime forum that they have no plans to blackmail GitHub or demand a ransom: «We don’t care about extorting money from GitHub. One buyer and we’ll destroy the data on our side. It looks like we’re going to retire soon, so if no buyer is found, we’ll make it public for free.»
This incident is part of a broader and more dangerous campaign by TeamPCP targeting software supply chains. In particular, the group compromised Microsoft’s official Python client for the Durable Task framework (durabletask package on PyPI), which is downloaded over 417,000 times per month. After obtaining an access token through previously stolen developer secrets, the hackers downloaded malicious versions of the package that automatically run malware upon import.
According to cybersecurity researchers from Wiz and SafeDep, this software runs on Linux systems and aims to steal passwords from 1Password and Bitwarden, SSH keys, AWS and Kubernetes cloud credentials. Moreover, the software contains a specific destructive function: if an Israeli or Iranian locale is detected (but at the same time ignores Russian-speaking systems) in the system settings, with a probability of 1 in 6, the virus will play an audio file, after which it will completely destroy all data on the disk.
