GitHub confirmed on Might 20 {that a} poisoned VS Code extension put in on an worker’s system gave attackers entry to roughly 3,800 inner repositories on the Microsoft-owned code storage and authorship platform.
The menace group TeamPCP, formally tracked by Google Menace Intelligence Group as UNC6780, claimed duty and is promoting the stolen repositories on the market beginning at $50,000. GitHub’s evaluation: the attacker’s declare is “directionally constant” with the investigation to date. Development Micro, StepSecurity, and Snyk have formally tracked TeamPCP throughout no less than seven waves of the Mini Shai-Hulud provide chain worm since March.
The GitHub breach didn’t land in isolation. It arrived the identical day a brand new Mini Shai-Hulud wave cast legitimate cryptographic provenance on 639 malicious npm bundle variations, sooner or later after attackers compromised a VS Code extension with 2.2 million installs, the identical day Wiz found TeamPCP had compromised Microsoft’s durabletask Python SDK on PyPI, and the identical morning Verizon’s 2026 DBIR revealed that 67% of staff entry AI instruments by means of non-corporate accounts. 5 provide chain surfaces failed in 48 hours. Two extra AI-agent assault lessons had been disclosed the identical month that accomplished the grid. One group connects no less than three of them.
GitHub confirms the breach, names the assault vector, and the attribution path is lengthy
“Yesterday we detected and contained a compromise of an worker system involving a poisoned VS Code extension. We eliminated the malicious extension model, remoted the endpoint, and commenced incident response instantly,” GitHub posted in a five-post thread on X on Might 20. “Our present evaluation is that the exercise concerned exfiltration of GitHub-internal repositories solely. [Emphasis added by VentureBeat] The attacker’s present claims of ~3,800 repositories are directionally in line with our investigation to date.” GitHub added that crucial secrets and techniques had been rotated in a single day with the highest-impact credentials prioritized first.
GitHub’s affirmation narrows the assault vector to a single worker system however leaves the blast radius increasing. The corporate has not named the precise extension. Inside repositories include infrastructure configurations, deployment scripts, staging credentials, and inner API schemas. Supply code entry at that stage is just not a knowledge breach. It’s an infrastructure intelligence leak.
Darkish Net Informer reported that TeamPCP’s itemizing appeared on a hacking discussion board hours earlier than GitHub’s preliminary disclosure, promoting round 4,000 personal repositories. Hackmanac independently confirmed the itemizing. An X account linked to TeamPCP, xploitrsturtle2, posted after GitHub’s affirmation: “GitHub knew for hours, they delayed telling you and so they received’t be sincere sooner or later. What an incredible run, it’s been an honor to mess around with the cats over the previous few months.”
Google Menace Intelligence Group formally tracks TeamPCP as UNC6780, a financially motivated menace actor specializing in provide chain assaults concentrating on open-source safety utilities and AI middleware. Development Micro tracked “no less than seven confirmed waves” spanning Trivy (March 2026), Checkmarx KICS, LiteLLM, elementary-data, Bitwarden CLI, TanStack (Might 11), and Mistral AI (Might 12). StepSecurity, Snyk, and Development Micro assess excessive confidence on the Trivy, Bitwarden CLI, and TanStack waves primarily based on toolchain overlap. GitHub’s Might 20 affirmation that the breach got here by means of a poisoned VS Code extension aligns with the precise assault floor TeamPCP weaponized all through 2026.
Binance co-founder CZ posted instantly: “You probably have ANY personal repos with plain textual content secrets and techniques or delicate paperwork/architectures, instantly rotate your secrets and techniques.” Mike Riemer, CTO of Ivanti, informed VentureBeat in an unique interview that Azure’s honeypot community now exhibits recognized vulnerabilities exploited in below 90 seconds. Stolen credentials shorten the recon part that precedes exploitation. Each GitHub-side secret that reaches a purchaser accelerates whichever assault path that purchaser was already working.
The worm that forges its personal provenance badge
Hours earlier than GitHub’s disclosure, Endor Labs detected 42 malicious npm packages revealed between 01:39 and 02:06 UTC on Might 19. Socket’s broader monitoring put the total wave at 639 malicious variations throughout 323 packages inside Alibaba’s @antv knowledge visualization ecosystem, roughly 16 million weekly downloads.
This wave launched provenance forgery. The worm now calls Fulcio and Rekor at runtime to generate legitimate Sigstore signing certificates for each bundle it propagates to. Provenance tooling exhibits a inexperienced badge. The construct chain belongs to the attacker. “The attestation proves the place the bundle was constructed. It doesn’t show the construct was licensed,” Endor Labs said.
Peyton Kennedy, senior safety researcher at Endor Labs, informed VentureBeat that “TanStack had the appropriate setup on paper: OIDC trusted publishing, signed provenance, 2FA on each maintainer account. The assault labored anyway. Every wave has picked a higher-download goal and launched a extra technically fascinating entry vector.”
Late on Might 12, vx-underground reported that TeamPCP open-sourced the totally weaponized Shai-Hulud worm code. Copycat variants have already appeared, complicating attribution. Kennedy supplied VentureBeat a first-pass detection verify: run discover . -name ‘router_init.js’ -size +1M throughout challenge directories and grep for the hash 79ac49eedf774dd4b0cfa308722bc463cfe5885c in package-lock.json. If both returns successful, isolate and picture the machine earlier than revoking any tokens. The worm’s damaging daemon triggers on revocation.
GitHub Actions tags redirected to imposter commits the identical day
Additionally on Might 19, menace actors compromised the favored GitHub Actions workflow actions-cool/issues-helper by redirecting each current tag within the repository to an imposter commit that doesn’t seem within the motion’s regular commit historical past. “That commit incorporates malicious code that exfiltrates credentials from CI/CD pipelines that run the motion,” StepSecurity researcher Varun Sharma stated. GitHub has since disabled entry to the repository.
The exfiltration area (t.m-kosche[.]com) matches the @antv Mini Shai-Hulud wave, tying the 2 clusters collectively. Solely workflows pinned to a known-good full commit SHA had been unaffected.
The worm jumped to Microsoft’s personal Python SDK the identical day
Hours after the @antv wave, Wiz detected that TeamPCP had compromised durabletask, the official Microsoft Python shopper for the Sturdy Process workflow execution framework. Three malicious variations (1.4.1, 1.4.2, and 1.4.3) had been revealed to PyPI inside a 35-minute window on Might 19. The assault chain was direct: a GitHub account compromised in a earlier TeamPCP operation nonetheless had entry to the microsoft/durabletask-python repository. The attacker dumped GitHub Secrets and techniques, extracted a PyPI publishing token, and pushed the contaminated releases immediately. PyPI quarantined all three variations.
StepSecurity’s evaluation discovered the payload downloads a 28 KB dropper (rope.pyz) that steals credentials from AWS, Azure, GCP, Kubernetes, and over 90 developer instrument configurations, then spreads laterally by means of cloud infrastructure. The payload skips techniques with a Russian locale. The durabletask bundle averages over 400,000 month-to-month downloads.
VS Code extensions breached GitHub itself, and that isn’t even the primary compromise this week
On Might 18, attackers revealed a compromised model of the Nx Console VS Code extension, put in greater than 2.2 million instances. The malicious model harvested tokens from GitHub, npm, AWS, HashiCorp Vault, Kubernetes, and 1Password, and particularly focused Claude Code configuration recordsdata below ~/.claude/settings.json. The Nx crew eliminated it inside 11 minutes. Any developer who opened a workspace between 12:36 and 12:47 UTC ran the credential stealer. At some point later, GitHub confirmed {that a} completely different poisoned VS Code extension was the entry level for the three,800-repo breach of its personal inner infrastructure.
As one X consumer framed it: “Microsoft’s GitHub was compromised when a Microsoft developer utilizing Microsoft VSCode put in a rogue extension from Microsoft’s VSCode extension library, which is moderated and hosted by Microsoft.” All the assault chain stayed inside one vendor’s ecosystem. Builders have been reporting malicious VS Code extensions to Microsoft for years. A publicly documented grievance from December 2024 requested Microsoft to repair {the marketplace}. Eighteen months later, {the marketplace} was the entry level for a breach of GitHub itself.
AI coding brokers deal with belief dialogs as options, not safety occasions
Adversa AI’s TrustFall analysis, revealed Might 7, examined Claude Code, Gemini CLI, Cursor CLI, and Copilot CLI. “A repository can ship a configuration that auto-approves and instantly launches an MCP server, no instrument name from the agent is required,” researcher Rony Utevsky informed Darkish Studying. All 4 default to “Sure/Belief.” The Managed scope configuration that might lock this down is “not often used.” When Claude Code runs headless by means of GitHub Actions, the belief dialog by no means renders.
PR feedback grew to become agent directions
Aonan Guan, alongside Johns Hopkins colleagues Zhengyu Liu and Gavin Zhong, typed a malicious instruction right into a PR title and watched Anthropic’s Claude Code Safety Overview motion publish its personal API key as a remark. The identical immediate injection labored towards Gemini CLI Motion and GitHub’s Copilot Agent. Anthropic categorized it CVSS 9.4 Important.
Immediate injection reaches eval() by means of reputable API calls
Microsoft disclosed CVE-2026-26030 and CVE-2026-25592 on Might 7, each crucial in Semantic Kernel. The Python SDK flaw let a crafted immediate obtain host-level distant code execution. The .NET SDK flaw turned an by accident uncovered file-transfer helper right into a instrument the AI mannequin may invoke, enabling sandbox escape from Azure Container Apps.
Social channels ship the payload the place EDR has no sign
CrowdStrike’s 2026 Monetary Providers Menace Panorama Report, launched Might 14, quantified identification theft scaling outdoors developer toolchains. DPRK-nexus actors stole $2.02 billion in digital belongings in 2025, a 51% year-over-year improve. PRESSURE CHOLLIMA performed the biggest single monetary theft ever reported: $1.46 billion by means of trojanized software program distributed by way of provide chain compromise. FAMOUS CHOLLIMA doubled its operations utilizing AI-generated identities. STARDUST CHOLLIMA tripled its tempo. The first supply channels: WhatsApp and LinkedIn, the place EDR has no sign.
“Monetary companies organizations face threats from each course, and AI is making every of them more durable to cease,” Adam Meyers, senior vp, counter adversary operations at CrowdStrike, stated within the report. “Adversaries are utilizing AI to compress the time from preliminary entry to influence, transferring by means of trusted paths sooner than legacy defenses can reply.” His 2026 World Menace Report discovered 82% of detections in 2025 had been malware-free. The typical eCrime breakout time fell to 29 minutes, with the quickest noticed at 27 seconds.
Riemer informed VentureBeat the identical dynamic applies to developer toolchains. “Unhealthy guys are pivoting to what is the subsequent weakest hyperlink. Let me get anyone’s home key, and I could make it by means of the again door.” Stolen developer identities are the home key.
Shadow AI utilization tripled in a single 12 months
The Verizon 2026 DBIR discovered that 45% of staff are common AI customers, up from 15% final 12 months, with 67% accessing AI by means of non-corporate accounts. Third-party involvement in breaches jumped to 48%.
The Developer Software Stolen-Id Audit Grid
No single floor on this grid qualifies as a zero day. Chained collectively, they perform like one. “I can take a complete bunch of little issues and chain them collectively and get the identical stage of entry,” Riemer informed VentureBeat. “That is what AI does very, very properly.”
|
Floor |
Incident / Vector |
Visibility Hole |
Really useful Motion |
|
GitHub inner repositories |
TeamPCP (UNC6780) stole ~3,800 inner repos by way of poisoned VS Code extension on worker system. GitHub confirmed Might 20. Important secrets and techniques rotated in a single day. Itemizing contains safety infra and AI tooling repos |
Prospects can not audit inner repo contents. Leaked secrets and techniques have an effect on each downstream tenant |
Rotate GitHub-issued tokens, OAuth app secrets and techniques, and Actions OIDC belief relationships |
|
npm provenance verification |
Mini Shai-Hulud wave (Might 19). 639 malicious variations per Socket. Stolen maintainer identification generated reputable Sigstore certs at runtime |
Provenance verify passes. Signing identification is stolen. 16M weekly downloads affected |
Cease treating provenance badges as ample. Add install-time behavioral evaluation. Set minimumReleaseAge |
|
VS Code extension auto-update |
Nx Console v18.95.0 (Might 18). Stolen contributor token, orphan commit, three exfil channels. Claude Code configs focused. 2.2M installs |
Auto-update executes credential stealer silently. No detection class exists |
Pin extension variations. Audit auto-update coverage. Overview writer token governance |
|
AI coding agent CLI belief dialog |
TrustFall (Adversa AI). All 4 CLIs auto-execute untrusted MCP servers with one keypress |
Belief dialog is a function, not a safety occasion. Headless CI skips dialog totally |
Disable enableAllProjectMcpServers. Require specific per-server approval |
|
CI/CD pipeline agent execution |
Remark and Management (Johns Hopkins, CVSS 9.4). PR feedback processed as agent directions |
Malicious .mcp.json runs with runner’s full credentials. Zero human interplay |
Gate agent runs to post-merge branches. Overview pull_request_target workflows |
|
AI agent framework eval() path |
Semantic Kernel CVE-2026-26030 (9.9) and CVE-2026-25592 (10.0). Immediate injection reaches eval() |
EDR sees accredited name. Flat auth aircraft fails to respect consumer permissions |
Improve to Python 1.39.4+ / .NET 1.71.0+. Disable auto-invocation |
|
Out-of-band supply |
CrowdStrike FinServ (Might 14). WhatsApp and LinkedIn as main vectors. CHOLLIMA doubled and tripled tempo |
EDR has no sign on social-channel supply. AI-generated identities at scale |
Add WhatsApp and LinkedIn to insider-threat playbooks |
Seven surfaces. One group confirmed throughout no less than three of them, with open-sourced tooling enabling copycats throughout the remainder. Kayne McGladrey, IEEE Senior Member, informed VentureBeat that organizations are “defaulting to cloning human consumer profiles for brokers, and permission sprawl begins on day one.” The compliance frameworks enterprises depend on had been written for people. Agent identities don’t seem in any management catalog McGladrey has encountered.