A Hacker Group Is Poisoning Open Source Code at an Unprecedented Scale

A so-called software supply chain attack, in which hackers corrupt legitimate software to hide their own malicious code, was once a relatively rare event, but one that haunted the cybersecurity world with its insidious threat of turning any innocent application into a dangerous anchor in a victim’s network. Now, a group of cybercriminals has turned this occasional nightmare into a near-weekly episode, corrupting hundreds of open source tools, extorting victims for profit, and sowing a new level of distrust throughout an entire ecosystem used to create the world’s software.

On Tuesday evening, the open source code platform GitHub announced that it had been hacked by hackers in one of these software supply chain attacks: a GitHub developer had installed a “poisoned” extension for VSCode, a plug-in for a commonly used code editor that, like GitHub itself, is owned by Microsoft. As a result, the hackers behind the breach, an increasingly notorious group called TeamPCP, claim to have accessed approximately 4,000 of GitHub’s code repositories. GitHub’s statement confirmed that it had found at least 3,800 compromised repositories while noting that, based on its findings so far, they all contained GitHub’s own code, not that of customers.

“We are here today to announce the sale of GitHub source code and internal organizations,” TeamPCP wrote on BreachForums, a forum and marketplace for cybercriminals. “Everything for the main platform is here and I am very happy to send samples to interested buyers to verify absolute authenticity.”

The GitHub breach is just the latest incident in what has become the longest wave of software supply chain attacks ever, with no end in sight. According to cybersecurity firm Socket, which focuses on software supply chains, in the last few months alone TeamPCP has carried out 20 “waves” of supply chain attacks that have hidden malware in more than 500 separate pieces of software, or well over a thousand when counting all the different versions of the code TeamPCP hijacked.

These corrupted pieces of code allowed TeamPCP hackers to hack hundreds of companies that installed the software, says Ben Read, manager of strategic threat intelligence at cloud security company Wiz. GitHub is just the latest in the group’s long list of victims, which also includes AI company Anthropic and data outsourcing company Mercor. “That might be their biggest problem,” Read says of the GitHub breach. “But each of these violations represents a big problem for the company where it occurs. It’s not qualitatively different from the 14 violations that occurred last week.”

TeamPCP’s main tactic has become a kind of cyclical exploitation of software developers: hackers gain access to a network where an open source tool commonly used by coders is developed, for example the VSCode extension that led to the GitHub breach or the AntV data visualization software that TeamPCP hijacked earlier this week. Hackers install malware into the tool that ends up on the machines of other software developers, including some who write other tools intended for use by coders.

The malware allows TeamPCP hackers to steal credentials that allow them to release malicious versions of those software development tools as well. The cycle repeats itself and TeamPCP’s collection of breached networks grows. “It’s a trade-off in the supply chain,” says Read. “It’s self-perpetuating, and it’s an extremely effective way to access networks and steal things.”

More recently, the group appears to have automated many of its software supply chain attacks with a self-propagating worm known as Mini Shai-Hulud. The name comes from GitHub repositories created by the worm that include encrypted credentials stolen from victims, each including the phrase “A Mini Shai-Hulud has appeared” along with a handful of other references to the science fiction novel. Dune. This message, in turn, appears to be a reference not only to Dunebut to a similar supply chain-compromising worm, known as Shai-Hulud, that appeared in September, although there is no evidence that TeamPCP was the source of this earlier self-propagating malware.