GitHub, a Microsoft-owned platform, confirmed it is investigating a security incident involving unauthorized access to internal repositories after a threat actor known as TeamPCP claimed to have exfiltrated and attempted to sell GitHub source code.
According to the company:
- No evidence of compromise to customer-owned repositories or organizations has been found
- Internal repositories appear to be the only affected assets
- Monitoring for follow-on activity is ongoing
GitHub stated it will notify impacted customers through established incident response channels if additional exposure is discovered.
Alleged Data Sale
The threat actor reportedly listed GitHub internal source code for sale on a cybercrime forum for:
- $50,000 minimum asking price
The alleged leak includes:
- ~3,800 to 4,000 internal repositories (claims vary)
- Internal GitHub organization data
- Source code components
The group stated:
“This is not a ransom… we do not care about extorting GitHub.”
Instead, they claim the data will be sold to a single buyer or publicly leaked if no buyer is found.
Initial Attack Vector
GitHub confirmed that the intrusion involved:
- Compromise of an employee device
- Use of a poisoned Microsoft Visual Studio Code extension
- Exfiltration of internal repository data
- Rotation of critical internal secrets following detection
The specific extension has not been publicly disclosed, though researchers noted similarities to recent supply chain attacks involving compromised developer tooling.
Related Supply Chain Activity
The incident is part of a broader campaign attributed to TeamPCP, a threat actor known for targeting:
- Open-source package ecosystems (npm, PyPI)
- CI/CD pipelines
- Developer tooling environments
- Cloud credentials and secrets

Security researchers link the group to multiple recent supply chain compromises across widely used open-source projects.
Compromised PyPI Package: durabletask
In parallel with the GitHub incident, TeamPCP is also linked to a compromise of:
- durabletask (Microsoft Python client for Durable Task framework)
Malicious Versions Identified
- 1.4.1
- 1.4.2
- 1.4.3
Payload Behavior
The malicious package contains a dropper that:
- Executes automatically on import
- Downloads a second-stage payload (
rope.pyz) - Contacts external command-and-control infrastructure
Example C2 domain:
check.git-service[.]com
The payload deploys a Linux-targeted infostealer designed to harvest:
- Cloud credentials (AWS, etc.)
- Password manager data (1Password, Bitwarden)
- SSH keys
- Docker credentials
- VPN configurations
- Shell history
- HashiCorp Vault secrets
Propagation Mechanisms
Researchers report the malware includes self-propagation capabilities:
AWS propagation
- Uses AWS SSM
SendCommand - Executes payload on up to 5 EC2 instances per profile
Kubernetes propagation
- Spreads via
kubectl exec
Backup C2 discovery (FIRESCALE)
- Extracts hidden C2 URLs from GitHub commit messages using:
FIRESCALE <base64_url>.<base64_signature>
Geographic Trigger Logic
The malware reportedly includes destructive or disruptive logic:
- Detects Israeli or Iranian systems
- 1-in-6 chance of executing destructive commands (
rm -rf /*)
Scale of Impact
Security researchers estimate:
- ~417,000 monthly downloads of affected package versions
- Automatic execution upon import (no user interaction required)
This makes the incident a high-impact supply chain compromise affecting CI/CD pipelines and cloud environments globally.
Security Assessment
Researchers from multiple security firms report:
- The campaign is evolving rapidly
- Stolen tokens are reused to compromise additional packages
- Infection chains are expanding automatically via developer trust relationships
Any system that installed affected package versions should be considered:
Fully compromised
Conclusion
The TeamPCP campaign represents a significant escalation in software supply chain attacks, combining:
- Developer tooling compromise
- Cloud credential theft
- Self-propagating malware behavior
- Internal platform breach claims
GitHub’s ongoing investigation and the widespread nature of the infected Python package highlight the increasing risk of dependency-based attacks in modern software ecosystems.
Organizations are urged to:
- Audit installed dependencies immediately
- Rotate exposed credentials
- Review CI/CD and developer workstation security
- Monitor for unauthorized repository access or token misuse