CA-A-26-005 Update 6: GitHub Internal Repositories Compromised via TeamPCP Supply Chain Attack

Supply Chain Attack, VS Code Extension, Credential Harvesting, TeamPCP, UNC6780, Python, npm

Source Material: GitHub on X | Technology: GitHub, VS Code, CI/CD, Python, npm | Targeted Industries: Technology, Software Development, Opportunistic

Executive Summary

On May 20, 2026, GitHub confirmed a supply chain breach affecting roughly 3,800 internal repositories. The attack is attributed to a financially motivated threat group known as TeamPCP (UNC6780). The compromise reportedly began on May 19 when a GitHub employee installed a malicious Visual Studio Code (VS Code) extension. Operating with the developer’s privileges, the extension bypassed endpoint security to steal active credentials, SSH keys, and cloud secrets. The attackers immediately used these secrets to clone the company’s internal codebases.

GitHub incident response teams report that they have isolated the endpoint, removed the extension, and rotated critical secrets. Forensic assessments show the exfiltration was limited to internal organizational repositories. Currently, no evidence indicates that customer data, enterprise environments, or private user repositories were accessed. Following the theft, TeamPCP listed the proprietary source code and internal data on the Breached forum. They demanded a minimum of $50,000, threatening to leak the data for free if ignored.

This breach is the latest escalation in a highly active 2026 campaign by TeamPCP. While previous attacks targeted open-source package registries and third-party developer infrastructure, compromising GitHub’s internal systems directly demonstrates the severity of their tactics. The group consistently bypasses traditional perimeter defenses by targeting the implicit trust placed in developer workstations, turning routine engineering tools into an attack vector.

Threat Overview and Strategic Impact

TeamPCP (UNC6780) operates as a cybercriminal syndicate specializing in software supply chain attacks. By abusing the implicit trust organizations place in developer environments, IDE plugins, and open-source registries, they effectively turn development environments into an attack vector. By co-opting valid credentials and authenticated sessions, the group often evades traditional network controls.

The structural weaknesses exploited in these campaigns are most evident in IDE extension marketplaces. Tools like VS Code lack strict, capability-based permission models; once installed, a malicious plugin inherits the developer’s full access rights. This architectural blind spot allows threat actors to silently read sensitive source files, scrape tokens from ~/.aws and ~/.kube, query local password managers, and exfiltrate Git credentials without relying on complex system exploits.

This attack methodology scales through the use of self-propagating malware, such as the Mini Shai-Hulud worm. Built to automate the compromise of package maintainer accounts, this malware injects credential-stealing payloads into heavily relied-upon ecosystems like npm and PyPI. Once embedded, the malware utilizes stolen developer tokens to create public GitHub repositories for data exfiltration, effectively hiding malicious outbound traffic within routine developer activity.

TeamPCPʼs targeting also extends further into cloud infrastructure. In related supply chain compromises, such as the poisoned Azure Durable Task Python SDK, the group deployed evasive payloads capable of detecting sandbox environments and avoiding specific geographic regions. Upon execution, the malware systematically harvests credentials across AWS, Azure, GCP, and Kubernetes. The stolen data is then routed to attacker-controlled domains using evasion techniques, such as FIRESCALE (leveraging GitHub commit messages as dead-drop resolvers).

Ultimately, organizations must confront the current reality: perimeter defenses are insufficient against adversaries who successfully weaponize unverified developer tooling.

Deepwatch Internal Response

Deepwatch is actively monitoring the GitHub security situation. Although GitHub has stated there is no current evidence of customer repositories, enterprise environments, or customer data being impacted, Deepwatch has taken precautionary action by rotating related secrets, reviewing CI/CD activity, tightening GitHub permissions, and disabling or restricting code extensions where appropriate. We will continue to monitor closely and have no indication of impact to Deepwatch customer environments or customer data at this time.

Security Hardening and Recommendations

Organizations should treat this as a potential software supply chain event. Even if your organization’s repositories are not directly implicated, we recommend adopting the following defensive posture to secure developer environments and source code repositories.

1. Strategic Credential & Secret Rotation

   Assume developer environment compromise if malicious extensions or packages were executed.

   • Exercise Caution with Token Revocation (Dead-Man’s Switch Risk): Do not blindly or abruptly revoke compromised GitHub tokens without first assessing the environment.
   • Rotate GitHub-Specific Secrets: Prioritize PATs, GitHub App secrets, OAuth tokens, and GitHub Actions secrets.
   • Rotate Cloud Credentials: Revoke and rotate AWS, Azure, or GCP credentials exposed to GitHub workflows.
   • Eliminate Static Secrets: Move toward short-lived ephemeral tokens using IAM Roles Anywhere or OIDC.

2. Audit VS Code Extensions Enterprise-Wide

   Developer workstations are the primary attack vector for this campaign.

   • Audit Existing Extensions: Search for recently installed extensions, unsigned publishers, and excessive permissions.
   • Implement Allowlists: Restrict installations to verified publishers via extensions.allowed.
   • EDR Threat Hunting: Hunt for credential theft behavior and suspicious child processes.

3. Review GitHub Actions and CI/CD Logs

   • Hunt for Anomalies: Monitor unexpected workflow changes and suspicious Actions downloads.
   • Review Access Logs: Identify unauthorized commits and unusual secret access.

4. Tighten GitHub Platform Permissions

   • Authentication: Enforce SSO and phishing-resistant MFA.
   • Access Control: Reduce repository admin counts and restrict GitHub Apps.
   • Integrity: Enable branch protections and require signed commits.

5. Monitor for Downstream Supply Chain Risk

   • Increase Registry Monitoring: Watch package registries for typosquatting and malicious updates.
   • Validate Integrity: Enforce dependency signing and integrity verification.
   • Leverage SBOMs: Continuously review Software Bill of Materials.

Detection Strategy

Detecting TeamPCP requires prioritizing behavioral anomalies and execution context over simple reliance on static indicators. The group uses dynamic C2 infrastructure, like the FIRESCALE commit resolver, making traditional signature matching ineffective. Consider the following to bolster detections:

• Endpoint behavioral alerts for IDEs (VS Code, Cursor) spawning unauthorized child processes or attempting to access local credential stores (~/.aws, ~/.kube).
• Network telemetry alerting on outbound connections from build servers or CI runners to unapproved domains, particularly utilizing specific Python or Node.js default user-agents.
• Cloud API monitoring for high-volume secret extraction, anomalous geographic access, or the rapid enumeration of cloud resources across multiple regions.
• Detection of unauthorized systemd service creation (sys-monitor.service, pgsql-monitor.service) or the execution of unexpected Python zipapps (.pyz) on Linux hosts.
• Monitoring of GitHub API logs and organization audit trails for the automated programmatic creation of repositories utilized as data dead-drops.

How Deepwatch Protects Our Customers

Deepwatch protects customers through 24/7/365 monitoring of endpoint, network, and cloud telemetry. We leverage dynamic risk scoring to identify the behavioral anomalies associated with advanced software supply chain attacks. By collecting and evaluating anomalous and suspicious activity in our risk cache, the Deepwatch platform correlates activity that wouldnʼt otherwise meet static alerting criteria. Our threat hunting teams conduct periodic proactive searches of customer environments for signs of suspicious activity.

Relevant Detections

Please visit Security Center to access the relevant detections for this activity.

Threat Hunting Leads

• Anomalous GitHub API Activity (Exfiltration G FIRESCALE): Hunt for network traffic, proxy logs, or API logs originating from internal networks querying the GitHub API for the specific search string q=FIRESCALE. Search GitHub organization audit logs for the automated creation of public repositories by employee or service accounts, focusing on repository descriptions containing “A Mini Shai-Hulud has Appeared”, “Sha1-Hulud: The Second Comingˮ, or “niagA oG eW ereH :duluH-iahSˮ (reversed string of “Shai-Hulud: Here We Go Again”).
• Suspicious User-Agents in CI/CD Environments: Analyze proxy and firewall logs for outbound connections originating from CI/CD runners (Jenkins, GitHub Actions, GitLab CI) utilizing the strict User-Agent string Python-urllib/3.11 attempting to access unverified IPs or domains. This indicates the durabletask dropper attempting to fetch the rope.pyz payload.
• Unexpected File Access by Developer Tools: Utilize EDR telemetry to hunt for processes named node, python, code (VS Code), mshta.exe, or AI assistant binaries actively reading sensitive credential files. Focus on rapid, programmatic attempts to read ~/.aws/credentials, ~/.azure/config, ~/.kube/config, or password manager databases (1Password, Bitwarden).
• Lateral Movement via Cloud APIs: Analyze AWS CloudTrail logs for ssm:SendCommand executed by identities associated with developer workstations or CI runners targeting multiple EC2 instances. In Kubernetes environments, monitor for anomalous kubectl exec commands issued from pods that do not typically execute cluster management operations.
• Destructive Wiping Indicators: Search file system creation events for the download or presence of RunForCover.mp3 on Linux endpoints, which precedes the destructive rm -rf /* wiping routine on geolocated targets.
• Secondary Parasitic Infections (PCPJack): While not deployed directly by TeamPCP, the opportunistic “PCPJack” campaign is known to hijack infrastructure previously compromised by TeamPCP. Identifying PCPJack activity is a strong secondary indicator of a TeamPCP breach. Hunt across Linux server fleets and container hosts for the creation or modification of systemd services named sys-monitor.service or pgsql-monitor.service. Search for scheduled tasks (crontabs) configured to execute Python scripts named monitor.py, worm.py, or pgmonitor.py. See CA-A-26-014 for more information on PCPJack.

Technical Artifacts

Please visit Security Center to access the associated technical artifacts.

Threat Object Mapping

Intrusion Set:

• TeamPCP (UNC6780)

Attack Pattern (MITRE ATTGCK):

Tactic	Technique	Technique ID	Associated Threat Activity
Initial Access	Compromise Software Dependencies and Development Tools	T1195.001	Compromising PyPI/npm packages and deploying trojanized VS Code extensions for initial execution.
Execution	Command and Scripting Interpreter: Python	T1059.006	Execution of Python zipapps (rope.pyz) and automated scripts (monitor.py) within CI/CD pipelines.
Persistence	Create or Modify System Process: Systemd Service	T1543.002	Creation of sys-monitor.service and pgsql-monitor.service to ensure execution upon reboot.
Privilege Escalation	Valid Accounts: Cloud Accounts	T1078.004	Utilizing harvested AWS IAM keys, Azure service principals, and GCP service accounts to escalate privileges.
Defense Evasion	Execution Guardrails	T1480.001	Terminating execution based on CPU core count or system locale (LANG=ru_*) to evade sandboxes.
Credential Access	Unsecured Credentials: Credentials in Files	T1552.001	Harvesting credentials from ~/.aws/credentials, ~/.kube/config, and password manager databases.
Discovery	Cloud Infrastructure Discovery	T1580	Enumerating AWS regions, Secrets Manager, SSM parameters, and Kubernetes API structures.
Lateral Movement	Remote Services: SSH	T1021.004	Utilizing stolen SSH private keys and known_hosts files to pivot to internal network resources.
Collection	Data from Cloud Storage Object	T1530	Extracting source code from compromised GitHub repositories and internal CI/CD environments.
Command and Control	Web Service: Dead Drop Resolver	T1102.001	Utilizing GitHub commit searches (FIRESCALE) to dynamically retrieve updated C2 URLs.
Exfiltration	Exfiltration Over Web Service	T1567.002	Creating public GitHub repositories using stolen tokens and uploading encrypted credentials (results.json).
Impact	Disk Wipe	T1561.001	Executing rm -rf /* on systems identified via geolocation checks as Israeli or Iranian infrastructure.

Vulnerabilities:

• CVE-2026-45321 (Critical – CVSS 9.6): TanStack supply chain compromise via malicious preinstall hooks in npm packages, facilitating the spread of the Mini Shai-Hulud worm.

Malware/Tools:

• Mini Shai-Hulud / Shai-Hulud: A highly automated, self-propagating software supply chain worm designed to compromise package maintainer accounts, inject malicious code, and harvest developer credentials.
• PCPJack: A specialized lateral movement and credential harvesting framework targeting cloud-native environments, including Docker, Kubernetes, Redis, and RayML clusters.
• rope[.]pyz: A second-stage, multi-module Python zipapp payload delivering extensive cloud credential theft capabilities, execution guardrails, and cryptographic C2 resolution.
• Phantom Bot: A Golang-based distributed denial-of-service (DDoS) botnet occasionally deployed alongside TeamPCP payloads via compromised npm packages.

Additional Sources

• GitHub confirms being hacked by TeamPCP, says customer data unaffected
• GitHub Breached – Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos
• GitHub Confirms Breach of Internal Repositories Via Malicious VS Code Extension
• TeamPCP GitHub Breach Internal GitHub Repositories Allegedly Accessed
• GitHub Says 3,800 Repositories Breached – TeamPCP Hackers Demand $50,000
• TeamPCP breached GitHubʼs internal codebase via poisoned VS Code extension
• Microsoft’s durabletask PyPI Package Compromised in Supply Chain Attack
• KICS GitHub Action Compromised: TeamPCP Supply Chain AttackTeam
• PCP’s Checkmarx GitHub Actions Attack: What You Need to KnowTeam
• PCP Hacks Checkmarx GitHub Actions Using Stolen CI Tokens
• TeamPCP supply chain attack hits TanStack
• Senator presses CISA for answers about alleged GitHub repository leak

↑