GitHub confirms 3,800 internal repos stolen through poisoned VS Code extension as supply chain worm hits Microsoft’s Python SDK
GitHub confirmed on May 20 that a poisoned VS Code extension installed on an employee’s device gave attackers access to roughly 3,800 internal repositories at the Microsoft-owned code storage and authorship platform.
The threat group TeamPCP, formally tracked by Google Threat Intelligence Group as UNC6780, claimed responsibility and is advertising the stolen repositories for sale starting at $50,000. GitHub’s assessment: the attacker’s claim is “directionally consistent” with the investigation so far. Trend Micro, StepSecurity, and Snyk have formally tracked TeamPCP across at least seven waves of the Mini Shai-Hulud supply chain worm since March.
The GitHub breach did not land in isolation. It arrived the same day a new Mini Shai-Hulud wave forged valid cryptographic provenance on 639 malicious npm package versions, one day after attackers compromised a VS Code extension with 2.2 million installs, the same day Wiz discovered TeamPCP had compromised Microsoft’s durabletask Python SDK on PyPI, and the same morning Verizon’s 2026 DBIR revealed that 67% of employees access AI tools through non-corporate accounts. Five supply chain surfaces failed in 48 hours. Two more AI-agent attack classes were disclosed the same month that completed the grid. One group connects at least three of them.
GitHub confirms the breach, names the attack vector, and the attribution trail is long
"Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately," GitHub posted in a five-post thread on X on May 20. "Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only. [Emphasis added by VentureBeat] The attacker’s current claims of ~3,800 repositories are directionally consistent with our investigation so far." GitHub added that critical secrets were rotated overnight with the highest-impact credentials prioritized first.
GitHub’s confirmation narrows the attack vector to a single employee device but leaves the blast radius expanding. The company has not named the specific extension. Internal repositories contain infrastructure configurations, deployment scripts, staging credentials, and internal API schemas. Source code access at that level is not a data breach. It is an infrastructure intelligence leak.
Dark Web Informer reported that TeamPCP’s listing appeared on a hacking forum hours before GitHub’s initial disclosure, advertising around 4,000 private repositories. Hackmanac independently confirmed the listing. An X account linked to TeamPCP, xploitrsturtle2, posted after GitHub’s confirmation: “GitHub knew for hours, they delayed telling you and they won’t be honest in the future. What an amazing run, it’s been an honor to play around with the cats over the past few months.”
Google Threat Intelligence Group formally tracks TeamPCP as UNC6780, a financially motivated threat actor specializing in supply chain attacks targeting open-source security utilities and AI middleware. Trend Micro tracked "at least seven confirmed waves" spanning Trivy (March 2026), Checkmarx KICS, LiteLLM, elementary-data, Bitwarden CLI, TanStack (May 11), and Mistral AI (May 12). StepSecurity, Snyk, and Trend Micro assess high confidence on the Trivy, Bitwarden CLI, and TanStack waves based on toolchain overlap. GitHub’s May 20 confirmation that the breach came through a poisoned VS Code extension aligns with the exact attack surface TeamPCP weaponized throughout 2026.
Binance co-founder CZ posted immediately: "If you have ANY private repos with plain text secrets or sensitive documents/architectures, immediately rotate your secrets." Mike Riemer, CTO of Ivanti, told VentureBeat in an exclusive interview that Azure’s honeypot network now shows known vulnerabilities exploited in under 90 seconds. Stolen credentials shorten the recon phase that precedes exploitation. Every GitHub-side secret that reaches a buyer accelerates whichever attack path that buyer was already running.
The worm that forges its own provenance badge
Hours before GitHub's disclosure, Endor Labs detected 42 malicious npm packages published between 01:39 and 02:06 UTC on May 19. Socket's broader tracking put the full wave at 639 malicious versions across 323 packages inside Alibaba's @antv data visualization ecosystem, roughly 16 million weekly downloads.
This wave introduced provenance forgery. The worm now calls Fulcio and Rekor at runtime to generate valid Sigstore signing certificates for every package it propagates to. Provenance tooling shows a green badge. The build chain belongs to the attacker. "The attestation proves where the package was built. It does not prove the build was authorized," Endor Labs stated.
Peyton Kennedy, senior security researcher at Endor Labs, told VentureBeat that “TanStack had the right setup on paper: OIDC trusted publishing, signed provenance, 2FA on every maintainer account. The attack worked anyway. Each wave has picked a higher-download target and introduced a more technically interesting access vector.”
Late on May 12, vx-underground reported that TeamPCP open-sourced the fully weaponized Shai-Hulud worm code. Copycat variants have already appeared, complicating attribution. Kennedy provided VentureBeat a first-pass detection check: run find . -name ‘router_init.js’ -size +1M across project directories and grep for the hash 79ac49eedf774dd4b0cfa308722bc463cfe5885c in package-lock.json. If either returns a hit, isolate and image the machine before revoking any tokens. The worm’s destructive daemon triggers on revocation.
GitHub Actions tags redirected to imposter commits the same day
Also on May 19, threat actors compromised the popular GitHub Actions workflow actions-cool/issues-helper by redirecting every existing tag in the repository to an imposter commit that does not appear in the action’s normal commit history. “That commit contains malicious code that exfiltrates credentials from CI/CD pipelines that run the action,” StepSecurity researcher Varun Sharma said. GitHub has since disabled access to the repository.
The exfiltration domain (t.m-kosche[.]com) matches the @antv Mini Shai-Hulud wave, tying the two clusters together. Only workflows pinned to a known-good full commit SHA were unaffected.
The worm jumped to Microsoft’s own Python SDK the same day
Hours after the @antv wave, Wiz detected that TeamPCP had compromised durabletask, the official Microsoft Python client for the Durable Task workflow execution framework. Three malicious versions (1.4.1, 1.4.2, and 1.4.3) were published to PyPI within a 35-minute window on May 19. The attack chain was direct: a GitHub account compromised in a previous TeamPCP operation still had access to the microsoft/durabletask-python repository. The attacker dumped GitHub Secrets, extracted a PyPI publishing token, and pushed the infected releases directly. PyPI quarantined all three versions.
StepSecurity’s analysis found the payload downloads a 28 KB dropper (rope.pyz) that steals credentials from AWS, Azure, GCP, Kubernetes, and over 90 developer tool configurations, then spreads laterally through cloud infrastructure. The payload skips systems with a Russian locale. The durabletask package averages over 400,000 monthly downloads.
VS Code extensions breached GitHub itself, and that is not even the first compromise this week
On May 18, attackers published a compromised version of the Nx Console VS Code extension, installed more than 2.2 million times. The malicious version harvested tokens from GitHub, npm, AWS, HashiCorp Vault, Kubernetes, and 1Password, and specifically targeted Claude Code configuration files under ~/.claude/settings.json. The Nx team removed it within 11 minutes. Any developer who opened a workspace between 12:36 and 12:47 UTC ran the credential stealer. One day later, GitHub confirmed that a different poisoned VS Code extension was the entry point for the 3,800-repo breach of its own internal infrastructure.
As one X user framed it: “Microsoft’s GitHub was compromised when a Microsoft developer using Microsoft VSCode installed a rogue extension from Microsoft’s VSCode extension library, which is moderated and hosted by Microsoft.” The entire attack chain stayed inside one vendor’s ecosystem. Developers have been reporting malicious VS Code extensions to Microsoft for years. A publicly documented complaint from December 2024 asked Microsoft to fix the marketplace. Eighteen months later, the marketplace was the entry point for a breach of GitHub itself.
AI coding agents treat trust dialogs as features, not security events
Adversa AI’s TrustFall research, published May 7, tested Claude Code, Gemini CLI, Cursor CLI, and Copilot CLI. "A repository can ship a configuration that auto-approves and immediately launches an MCP server, no tool call from the agent is required," researcher Rony Utevsky told Dark Reading. All four default to "Yes/Trust." The Managed scope configuration that could lock this down is "rarely used." When Claude Code runs headless through GitHub Actions, the trust dialog never renders.
PR comments became agent instructions
Aonan Guan, alongside Johns Hopkins colleagues Zhengyu Liu and Gavin Zhong, typed a malicious instruction into a PR title and watched Anthropic's Claude Code Security Review action post its own API key as a comment. The same prompt injection worked against Gemini CLI Action and GitHub's Copilot Agent. Anthropic classified it CVSS 9.4 Critical.
Prompt injection reaches eval() through legitimate API calls
Microsoft disclosed CVE-2026-26030 and CVE-2026-25592 on May 7, both critical in Semantic Kernel. The Python SDK flaw let a crafted prompt achieve host-level remote code execution. The .NET SDK flaw turned an accidentally exposed file-transfer helper into a tool the AI model could invoke, enabling sandbox escape from Azure Container Apps.
Social channels deliver the payload where EDR has no signal
CrowdStrike’s 2026 Financial Services Threat Landscape Report, released May 14, quantified identity theft scaling outside developer toolchains. DPRK-nexus actors stole $2.02 billion in digital assets in 2025, a 51% year-over-year increase. PRESSURE CHOLLIMA conducted the largest single financial theft ever reported: $1.46 billion through trojanized software distributed via supply chain compromise. FAMOUS CHOLLIMA doubled its operations using AI-generated identities. STARDUST CHOLLIMA tripled its tempo. The primary delivery channels: WhatsApp and LinkedIn, where EDR has no signal.
“Financial services organizations face threats from every direction, and AI is making each of them harder to stop,” Adam Meyers, senior vice president, counter adversary operations at CrowdStrike, said in the report. “Adversaries are using AI to compress the time from initial access to impact, moving through trusted paths faster than legacy defenses can respond.” His 2026 Global Threat Report found 82% of detections in 2025 were malware-free. The average eCrime breakout time fell to 29 minutes, with the fastest observed at 27 seconds.
Riemer told VentureBeat the same dynamic applies to developer toolchains. "Bad guys are pivoting to what's the next weakest link. Let me get somebody's house key, and I can make it through the back door." Stolen developer identities are the house key.
Shadow AI usage tripled in one year
The Verizon 2026 DBIR found that 45% of employees are regular AI users, up from 15% last year, with 67% accessing AI through non-corporate accounts. Third-party involvement in breaches jumped to 48%.
The Developer Tool Stolen-Identity Audit Grid
No single surface in this grid qualifies as a zero day. Chained together, they function like one. "I can take a whole bunch of little things and chain them together and get the same level of access," Riemer told VentureBeat. "That's what AI does very, very well."
Surface
Incident / Vector
Visibility Gap
Recommended Action
GitHub internal repositories
TeamPCP (UNC6780) stole ~3,800 internal repos via poisoned VS Code extension on employee device. GitHub confirmed May 20. Critical secrets rotated overnight. Listing includes security infra and AI tooling repos
Customers cannot audit internal repo contents. Leaked secrets affect every downstream tenant
Rotate GitHub-issued tokens, OAuth app secrets, and Actions OIDC trust relationships
npm provenance verification
Mini Shai-Hulud wave (May 19). 639 malicious versions per Socket. Stolen maintainer identity generated legitimate Sigstore certs at runtime
Provenance check passes. Signing identity is stolen. 16M weekly downloads affected
Stop treating provenance badges as sufficient. Add install-time behavioral analysis. Set minimumReleaseAge
VS Code extension auto-update
Nx Console v18.95.0 (May 18). Stolen contributor token, orphan commit, three exfil channels. Claude Code configs targeted. 2.2M installs
Auto-update executes credential stealer silently. No detection category exists
Pin extension versions. Audit auto-update policy. Review publisher token governance
AI coding agent CLI trust dialog
TrustFall (Adversa AI). All four CLIs auto-execute untrusted MCP servers with one keypress
Trust dialog is a feature, not a security event. Headless CI skips dialog entirely
Disable enableAllProjectMcpServers. Require explicit per-server approval
CI/CD pipeline agent execution
Comment and Control (Johns Hopkins, CVSS 9.4). PR comments processed as agent instructions
Malicious .mcp.json runs with runner’s full credentials. Zero human interaction
Gate agent runs to post-merge branches. Review pull_request_target workflows
AI agent framework eval() path
Semantic Kernel CVE-2026-26030 (9.9) and CVE-2026-25592 (10.0). Prompt injection reaches eval()
EDR sees approved call. Flat auth plane fails to respect user permissions
Upgrade to Python 1.39.4+ / .NET 1.71.0+. Disable auto-invocation
Out-of-band delivery
CrowdStrike FinServ (May 14). WhatsApp and LinkedIn as primary vectors. CHOLLIMA doubled and tripled tempo
EDR has no signal on social-channel delivery. AI-generated identities at scale
Add WhatsApp and LinkedIn to insider-threat playbooks
Seven surfaces. One group confirmed across at least three of them, with open-sourced tooling enabling copycats across the rest. Kayne McGladrey, IEEE Senior Member, told VentureBeat that organizations are "defaulting to cloning human user profiles for agents, and permission sprawl starts on day one." The compliance frameworks enterprises rely on were written for humans. Agent identities do not appear in any control catalog McGladrey has encountered.
