Close Menu
    What's Hot

    Coca-Cola suspended production at its Fairlife dairy after a ransomware attack

    Narendra Modi steps up India’s hunt for uranium and critical minerals

    Arhaus Stock Continues To Struggle With Comp Sales (NASDAQ:ARHS)

    Facebook X (Twitter) Instagram
    Trending
    • Coca-Cola suspended production at its Fairlife dairy after a ransomware attack
    • Narendra Modi steps up India’s hunt for uranium and critical minerals
    • Arhaus Stock Continues To Struggle With Comp Sales (NASDAQ:ARHS)
    • Unpatched Shark Vacuum Flaw Could Let Attackers Control Other Vacuums Region-Wide
    • The happiness mistake almost every entrepreneur makes
    • Opinion | The King of the North, Andy Burnham, Won’t Save Britain
    • Assessing the Documents: Fake IDs From China
    • A Trump Obsession That Carries a Cost for Democracy
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    GitHub Investigating TeamPCP Claimed Breach of ~4,000 Internal Repositories

    adminBy adminMay 20, 2026No Comments5 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    GitHub Investigating TeamPCP Claimed Breach of ~4,000 Internal Repositories
    Share
    Facebook Twitter LinkedIn Pinterest Email

    GitHub Investigating TeamPCP Claimed Breach of ~4,000 Internal Repositories

    GitHub on Tuesday said it’s investigating unauthorized access to its internal repositories after the notorious threat actor known as TeamPCP listed the platform’s source code and internal organizations for sale on a cybercrime forum.

    “While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity,” the Microsoft-owned subsidiary said.

    The company also noted that it will notify customers via established incident response and notification channels if any impact is discovered.

    The development comes after TeamPCP, a threat actor behind a string of software supply chain attacks targeting open-source packages, listed GitHub’s source code for sale for an asking price of no less than $50,000. The alleged data dump is said to include about 4,000 repositories.

    “As always, this is not a ransom,” the group said in a post, according to screenshots shared by Dark Web Informer. “We do not care about extorting GitHub, 1 buyer and we shred the data on our end, it looks like our retirement is soon so if no buyer is found, we leak it for free.”

    Cybersecurity

    In a follow-up update shared on X, GitHub said it detected and contained a compromise of an employee device involving a poisoned Microsoft Visual Studio Code extension. As a risk mitigation measure, the company has rotated critical secrets, while prioritizing highest-impact credentials.

    “Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only,” GitHub said. “The attacker’s current claims of ~3,800 repositories are directionally consistent with our investigation so far.”

    GitHub did not disclose the name of the VS code extension, although it’s worth noting that Nx Console recently suffered a compromise that allowed threat actors push a multi-stage credential stealer and supply chain poisoning tool. The Nx team has since acknowledged that “very few users were compromised.”

    Following the incident, an X account linked to TeamPCP, xploitrsturtle2, stated: “GitHub knew for hours, they delayed telling you and they won’t be honest in the future. What an amazing run, it’s been an honor to play around with the cats over the past few months.”

    TeamPCP Compromises durabletask PyPI Package

    News of the sale comes as TeamPCP’s self-replicating malware campaign, known as Mini Shai-Hulud, continues to expand in reach with the compromise of durabletask, an official Microsoft Python client for the Durable Task workflow execution framework. Three malicious package versions have been identified: 1.4.1, 1.4.2, and 1.4.3.

    “The attacker compromised a GitHub account via a previous attack, dumped GitHub secrets from a repository to which the user had access, and from there had access to the PyPi token to publish directly,” Google-owned Wiz said.

    The payload embedded into the package is a dropper, which is configured to fetch and run a second-stage payload (“rope.pyz”) from an external server (“check.git-service[.]com”). The malware is assessed to be an evolution of the payload deployed in connection with the compromise of the guardrails-ai package last week.

    Specifically, it’s designed to activate a full-featured infostealer that’s capable of harvesting credentials associated with major cloud providers, password managers, and developer tools, and exfiltrating the data to the attacker-controlled domain. It’s worth noting that the stealer is configured to execute only on Linux systems.

    According to SafeDep, the 28KB Python stealer also attempts to read HashiCorp Vault KV secrets, unlock and dump 1Password and Bitwarden password vaults, and access SSH keys, Docker credentials, VPN configurations, and shell history.

    “If the machine is running inside AWS, it propagates itself to other EC2 instances using SSM. If it’s inside Kubernetes, it propagates through kubectl exec,” Aikido Security said. “And if it detects Israeli or Iranian system settings, there’s a 1-in-6 chance it plays audio and then runs rm -rf /*.”

    “After enumerating SSM-managed instances, it uses SendCommand with the AWS-RunShellScript document to execute the rope.pyz payload on up to 5 other EC2 instances per profile,” per StepSecurity. “The propagation script downloads the payload from the primary C2, falling back to the secondary domain t.m-kosche[.]com, and runs it in the background.”

    Cybersecurity

    Also notable is the use of the FIRESCALE mechanism to identify a backup command-and-control (C2) address in the event the primary domain is unreachable. It does this by searching GitHub’s public commit messages for the pattern “FIRESCALE .” and extracting the C2 information from it. Details of this technique were previously highlighted by Hunt.io.

    Because the worm propagates using tokens stolen from infected environments, the number of affected packages is expected to grow. Any machine or pipeline that installed an affected version of the package should be treated as fully compromised.

    “The package is downloaded roughly 417,000 times a month, and the malicious code runs automatically the moment the package is imported, with no error messages and no visible signs of compromise,” Endor Labs researcher Peyton Kennedy said.

    breach claimed GitHub internal investigating Repositories TeamPCP
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleCultural pioneer Maria McCloy showed us Joburg can thrive
    Next Article Google introduces Gemini Spark, a 24/7 agentic assistant with Gmail integration, at IO 2026
    admin
    • Website

    Related Posts

    Unpatched Shark Vacuum Flaw Could Let Attackers Control Other Vacuums Region-Wide

    July 17, 2026

    Daxin Resurfaces in Taiwan Alongside Stupig Pre-Login SYSTEM Backdoor

    July 17, 2026

    New Agent Data Injection Attack Can Make AI Agents Misclick or Run Attacker Commands

    July 17, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Coca-Cola suspended production at its Fairlife dairy after a ransomware attack

    Narendra Modi steps up India’s hunt for uranium and critical minerals

    Arhaus Stock Continues To Struggle With Comp Sales (NASDAQ:ARHS)

    Unpatched Shark Vacuum Flaw Could Let Attackers Control Other Vacuums Region-Wide

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by