Hackers Poison Open Source Code at Unprecedented Scale

A software supply chain attack, where hackers secretly inject malicious code into a trusted application, was once a rare but deeply feared event in cybersecurity. Now, one cybercriminal group has transformed that occasional nightmare into an almost weekly occurrence, poisoning hundreds of open source tools, extorting victims for profit, and eroding trust in the foundational software ecosystem used to build nearly everything online.

Late Tuesday, GitHub, the leading open source code platform, disclosed a breach linked to this very tactic. A developer inadvertently installed a poisoned VSCode extension,a plugin for the popular code editor also owned by Microsoft. The attackers, a rising threat group called TeamPCP, claim to have accessed roughly 4,000 of GitHub’s code repositories. GitHub confirmed finding at least 3,800 compromised repositories but stated these contained only the company’s own code, not customer data.

“We are here today to advertise GitHub’s source code and internal orgs for sale,” TeamPCP wrote on BreachForums, a cybercriminal marketplace. “Everything for the main platform is there and I am very happy to send samples to interested buyers to verify absolute authenticity.”

This GitHub incident marks the latest in what cybersecurity experts describe as the longest-running spree of software supply chain attacks on record. According to Socket, a firm specializing in supply chain security, TeamPCP has executed 20 distinct “waves” of attacks in recent months, hiding malware in over 500 separate software packages,or more than a thousand if counting every hijacked version.

Those tainted code packages have allowed TeamPCP to breach hundreds of organizations, notes Ben Read, strategic threat intelligence lead at cloud security firm Wiz. Beyond GitHub, the group’s victims include AI company Anthropic and data contracting firm Mercor. “It may be their biggest one,” Read says of the GitHub breach, “but each one of these is a big deal for the company that it happens to. It’s not qualitatively different from the 14 breaches that happened last week.”

TeamPCP’s core strategy is a cyclical exploitation of developers. The hackers first gain access to a network where a commonly used open source tool is being developed,like the VSCode extension or the data visualization library AntV hijacked earlier this week. They plant malware that infects other developers’ machines, including those writing tools intended for coders. The malware then steals credentials, enabling TeamPCP to publish malicious versions of those tools as well. The cycle repeats, and the group’s collection of breached networks grows. “It’s a flywheel of supply chain compromises,” says Read. “It’s self-perpetuating, and it’s been a hugely successful way to get access to networks and steal stuff.”

Recently, TeamPCP appears to have automated many of these attacks with a self-spreading worm called Mini Shai-Hulud. The name comes from GitHub repositories the worm creates, which contain encrypted credentials stolen from victims. Each repository includes the phrase “A Mini Shai-Hulud Has Appeared,” along with other references to the sci-fi novel Dune. This appears to echo a similar supply chain worm named Shai-Hulud from September, though there’s no evidence linking TeamPCP to that earlier malware.