GitHub, a Microsoft-owned platform, confirmed it is investigating a security incident involving unauthorized access to internal repositories after a threat actor known as TeamPCP claimed to have exfiltrated and attempted to sell GitHub source code.

According to the company:

  • No evidence of compromise to customer-owned repositories or organizations has been found
  • Internal repositories appear to be the only affected assets
  • Monitoring for follow-on activity is ongoing

GitHub stated it will notify impacted customers through established incident response channels if additional exposure is discovered.

Alleged Data Sale

The threat actor reportedly listed GitHub internal source code for sale on a cybercrime forum for:

  • $50,000 minimum asking price

The alleged leak includes:

  • ~3,800 to 4,000 internal repositories (claims vary)
  • Internal GitHub organization data
  • Source code components

The group stated:

“This is not a ransom… we do not care about extorting GitHub.”

Instead, they claim the data will be sold to a single buyer or publicly leaked if no buyer is found.

Initial Attack Vector

GitHub confirmed that the intrusion involved:

  • Compromise of an employee device
  • Use of a poisoned Microsoft Visual Studio Code extension
  • Exfiltration of internal repository data
  • Rotation of critical internal secrets following detection

The specific extension has not been publicly disclosed, though researchers noted similarities to recent supply chain attacks involving compromised developer tooling.

Related Supply Chain Activity

The incident is part of a broader campaign attributed to TeamPCP, a threat actor known for targeting:

  • Open-source package ecosystems (npm, PyPI)
  • CI/CD pipelines
  • Developer tooling environments
  • Cloud credentials and secrets

Alt text

Security researchers link the group to multiple recent supply chain compromises across widely used open-source projects.

Compromised PyPI Package: durabletask

In parallel with the GitHub incident, TeamPCP is also linked to a compromise of:

  • durabletask (Microsoft Python client for Durable Task framework)

Malicious Versions Identified

  • 1.4.1
  • 1.4.2
  • 1.4.3

Payload Behavior

The malicious package contains a dropper that:

  • Executes automatically on import
  • Downloads a second-stage payload (rope.pyz)
  • Contacts external command-and-control infrastructure

Example C2 domain:

  • check.git-service[.]com

The payload deploys a Linux-targeted infostealer designed to harvest:

  • Cloud credentials (AWS, etc.)
  • Password manager data (1Password, Bitwarden)
  • SSH keys
  • Docker credentials
  • VPN configurations
  • Shell history
  • HashiCorp Vault secrets

Propagation Mechanisms

Researchers report the malware includes self-propagation capabilities:

AWS propagation

  • Uses AWS SSM SendCommand
  • Executes payload on up to 5 EC2 instances per profile

Kubernetes propagation

  • Spreads via kubectl exec

Backup C2 discovery (FIRESCALE)

  • Extracts hidden C2 URLs from GitHub commit messages using:
  • FIRESCALE <base64_url>.<base64_signature>

Geographic Trigger Logic

The malware reportedly includes destructive or disruptive logic:

  • Detects Israeli or Iranian systems
  • 1-in-6 chance of executing destructive commands (rm -rf /*)

Scale of Impact

Security researchers estimate:

  • ~417,000 monthly downloads of affected package versions
  • Automatic execution upon import (no user interaction required)

This makes the incident a high-impact supply chain compromise affecting CI/CD pipelines and cloud environments globally.

Security Assessment

Researchers from multiple security firms report:

  • The campaign is evolving rapidly
  • Stolen tokens are reused to compromise additional packages
  • Infection chains are expanding automatically via developer trust relationships

Any system that installed affected package versions should be considered:

Fully compromised

Conclusion

The TeamPCP campaign represents a significant escalation in software supply chain attacks, combining:

  • Developer tooling compromise
  • Cloud credential theft
  • Self-propagating malware behavior
  • Internal platform breach claims

GitHub’s ongoing investigation and the widespread nature of the infected Python package highlight the increasing risk of dependency-based attacks in modern software ecosystems.

Organizations are urged to:

  • Audit installed dependencies immediately
  • Rotate exposed credentials
  • Review CI/CD and developer workstation security
  • Monitor for unauthorized repository access or token misuse