Key Takeaways
- GitHub is investigating a breach of its internal repositories after threat actor TeamPCP offered the source code for sale on a cybercrime forum.
- No evidence currently indicates that customer data stored outside GitHub’s internal systems was compromised, but the company is monitoring for follow‑on activity.
- The intrusion appears to have originated from a compromised employee device via a poisoned Microsoft Visual Studio Code extension; critical secrets have been rotated.
- TeamPCP also distributed malicious versions of the
durabletaskPyPI package, which contain a Linux‑only infostealer capable of harvesting cloud credentials, password‑manager vaults, SSH keys, and more. - The malware propagates autonomously to other EC2 instances or Kubernetes pods and can wipe systems on machines with Iranian or Israeli locale settings.
- Any environment that installed the compromised
durabletaskversions should be treated as fully compromised and rotated credentials immediately.
GitHub Announces Investigation of Unauthorized Access
On Tuesday, GitHub disclosed that it is investigating unauthorized access to its internal repositories after the notorious threat actor TeamPCP listed the platform’s source code and internal organizations for sale on a cybercrime forum. The company emphasized that, as of now, there is no evidence that customer information stored outside of GitHub’s internal repositories—such as data belonging to enterprises, organizations, or individual users—has been affected. Nevertheless, GitHub stated it is closely monitoring its infrastructure for any follow‑on activity and will notify customers through established incident‑response channels if any impact is discovered.
Details of the Alleged Data Dump and Threat Actor’s Motives
TeamPCP advertised the alleged data dump, claiming it contains roughly 4,000 repositories, with an asking price of no less than $50,000. In a post shared on a cybercrime forum and captured by Dark Web Informer, the group declared, “As always, this is not a ransom. We do not care about extorting GitHub, 1 buyer and we shred the data on our end.” The actor hinted that if no buyer emerged, the data would be leaked for free, framing the act as a kind of “retirement” gesture.
Root Cause: Compromised Employee Device via Malicious VS Code Extension
In a follow‑up update on X (formerly Twitter), GitHub revealed that the breach stemmed from a compromised employee device that had been infected through a poisoned Microsoft Visual Studio Code extension. As an immediate risk‑mitigation step, the company rotated critical secrets and prioritized the highest‑impact credentials for replacement. GitHub’s current assessment indicates that the attacker’s activity was limited to exfiltration of GitHub‑internal repositories only, and the claim of approximately 3,800 repositories accessed aligns directionally with the ongoing investigation.
TeamPCP’s Retaliatory Comments and Ongoing Tension
An X account linked to TeamPCP, @xploitrsturtle2, responded to GitHub’s disclosure with a accusatory statement: “GitHub knew for hours, they delayed telling you and they won’t be honest in the future. What an amazing run, it’s been an honor to play around with the cats over the past few months.” The remark suggests the threat actor believes GitHub delayed public disclosure and hints at a lingering adversarial relationship, though GitHub has not confirmed any delay in its own timeline.
Supply‑Chain Attack: Compromise of the durabletask PyPI Package
Separately, news of the sale coincided with TeamPCP’s ongoing self‑replicating malware campaign, dubbed “Mini Shai‑Hulud,” which has now compromised the durabletask Python package—an official Microsoft client for the Durable Task workflow execution framework. Three malicious versions (1.4.1, 1.4.2, and 1.4.3) were identified. According to security firm Wiz, the attacker first gained access to a GitHub account via a prior breach, extracted GitHub secrets from a repository the user could access, and then used those secrets to obtain a PyPI token, enabling the publication of the tainted packages directly to the Python Package Index.
Malware Functionality: Infostealer and Propagation Mechanisms
The malicious durabletask versions contain a dropper that fetches and executes a second‑stage payload named rope.pyz from an external server (check.git-service[.]com). This payload is an evolved infostealer designed to run exclusively on Linux systems. It harvests credentials from major cloud providers, password managers (including 1Password and Bitwarden), SSH keys, Docker credentials, VPN configurations, and shell history. Additionally, it attempts to read HashiCorp Vault KV secrets.
Propagation logic varies by environment: on AWS, the malware uses SSM’s SendCommand to copy itself to up to five other EC2 instances per profile; inside Kubernetes, it spreads via kubectl exec. Notably, if the infected machine detects Israeli or Iranian system settings, there is a one‑in‑six chance it will play an audio clip and then execute rm -rf /*, effectively wiping the host. The malware also employs a FIRESCALE mechanism—scanning public GitHub commit messages for the pattern “FIRESCALE ” to locate a backup command‑and‑control server should the primary domain become unreachable.
Impact Assessment and Recommended Mitigations
Because the worm propagates using tokens stolen from already‑compromised environments, the number of affected packages and systems is expected to grow. Endor Labs researcher Peyton Kennedy noted that the durabletask package is downloaded roughly 417,000 times each month, and the malicious code executes automatically upon import, without any error messages or visible signs of compromise. Consequently, any machine or CI/CD pipeline that installed one of the compromised versions should be treated as fully compromised. Organizations are advised to immediately remove the malicious packages, rotate all potentially exposed secrets (including cloud access keys, service tokens, and passwords), and audit their systems for signs of the infostealer or lateral movement. Continuous monitoring for anomalous SSM or kubectl activity, as well as verification of commit messages for FIRESCALE patterns, can help detect further spread.
Conclusion
The recent events underscore the evolving sophistication of supply‑chain threats, where a single compromised developer account can lead to the exfiltration of internal source code, the distribution of malicious open‑source packages, and widespread credential theft. GitHub’s prompt rotation of secrets and transparent communication are positive steps, but the incident highlights the need for rigorous dependency verification, secrets management, and endpoint protection across the software development lifecycle. By treating any environment that encountered the tainted durabletask packages as compromised and applying the remediation measures outlined above, organizations can mitigate the risk of further damage from this campaign.