Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
So called software Supply chain attackwhere hackers corrupt a legitimate piece of software to hide their malicious code, was once a relatively rare but event that haunts the world of cybersecurity with its insidious threat to turn any innocent application into a dangerous foothold in a victim’s network. now One group of cyber criminals He turned this occasional nightmare into a near-weekly episode, corrupting hundreds of open source tools, extorting victims for profit, and sowing a new level of distrust in the entire ecosystem used to create the world’s software.
On Tuesday night, open source code platform GitHub announced that it had been compromised by hackers in one such attack on the software supply chain: A GitHub developer installed a “poisoned” extension for VSCode, a plug-in for a commonly used code editor that, like GitHub itself, is owned by Microsoft. As a result, the hackers behind the hack, an increasingly notorious group called TeamPCP, claim to have gained access to around 4,000 GitHub code repositories. GitHub’s statement confirmed that it had found at least 3,800 compromised repositories, noting that based on its findings so far, all of them contained GitHub’s own code, not customer code.
“We are here today to announce the GitHub source code and internal organizations for sale,” TeamPCP wrote on BreachForums, a forum and marketplace for cybercriminals. “Everything for the flagship is there and I am very happy to send samples to interested buyers to verify their absolute authenticity.”
The GitHub hack is just the latest incident in what has become the longest wave of attacks on the software supply chain ever, with no end in sight. According to cybersecurity firm Socket, which focuses on software supply chains, in the past few months alone, TeamPCP has carried out 20 “waves” of supply chain attacks that hid malware in more than 500 different pieces of software, or more than a thousand counting all the different versions of code hijacked by TeamPCP.
These tainted pieces of code allowed TeamPCP hackers to compromise hundreds of companies that installed the software, says Ben Reid, who leads strategic threat intelligence at cloud security company Wiz. GitHub is the latest in the group’s long list of victims, which has also included artificial intelligence company Anthropic and data contracting firm Mercor. “This may be their biggest hack,” Reid says of the GitHub hack. “But each of these violations represents a significant problem for the company to which it occurs. And they are not qualitatively different from the 14 violations that occurred last week.”
TeamPCP’s primary tactic has become a kind of periodic exploit for software developers: hackers gain access to a network where an open source tool commonly used by programmers is developed — for example, the VSCode extension that led to the GitHub breach or the data visualization software AntV that TeamPCP hijacked earlier this week. Hackers plant malware in the tool that ends up on the machines of other software developers, including some who write other tools intended for use by programmers.
The malware allows TeamPCP hackers to steal credentials that allow them to deploy malicious versions of Those Software development tools too. The cycle repeats, and TeamPCP’s collection of compromised networks grows. “It’s a flywheel of compromises in the supply chain,” Reed says. “It’s a self-perpetuating process, and it’s been a very successful way to get into networks and steal stuff.”
More recently, the group appears to have automated several of its software supply chain attacks using a self-propagating worm that became known as Mini Shai-Hulud. The name comes from the GitHub repositories created by the worm that included encrypted credentials stolen from victims, each of which included the phrase “A little immortality tea appeared” as well as a few other references to the sci-fi novel. Sand dunes. This message, in turn, seems to refer not only to Sand dunesSandworms but so on A supply chain compromise worm known as Shai Khulud appeared in Septemberalthough there is no evidence that TeamPCP was behind that earlier self-propagating malware.
