TeamPCP, a hacker team dedicated to supply chain attacks, recently released a commercial claiming to sell the core source code and internal organizational structure information of the code hosting platform GitHub. The hacker group claimed that the transaction was not a blackmail but an exclusive direct sale. Of course, even if it was blackmailing GitHub, it is unlikely to pay a ransom to the hackers in exchange for data confidentiality.

It is worth noting that TeamPCP did not provide any sample data, only showing the directory containing the source code repository and related screenshots. It can only be said that capable hackers do not bother to provide samples, because now GitHub officials have confirmed that they have indeed been attacked. After preliminary investigation, it was confirmed that approximately 3,800 internal repositories were stolen by hackers.

Source code repository involving multiple core functions:

Judging from the directories and screenshots published by the hackers, the data stolen by the hackers involves source code repositories for multiple core functions of GitHub, including GitHub Copilot, GitHub Enterprise Server, Red Team, as well as vulnerability management, risk reporting, and mitigation patch repositories for cross-site scripting attacks in graphical user interfaces. In addition, repositories such as logical channels for GitHub operations and internal communications were also stolen.

Part of the compressed package name:

  • raycast-github-copilot.tar.gz

  • chiedo-copilot-cli-skills.tar.gz

  • github-enterprise-server-release-notifier.tar.gz

  • github-security-risk-reporting.tar.gz

  • red-team.tar.gz

  • github-ui-xss-hardening-research.tar.gz

  • github-india.tar.gz

  • repo-custom-claims-chatops.tar.gz

GitHub confirms data breach after investigation:

GitHub confirmed the data leak after preliminary investigation. The source of the attack was a Visual Studio Code extension containing malicious code installed by a GitHub employee. This extension was likely a victim of the TeamPCP worm, that is, the extension developer was also attacked. The hacker then used the stolen credentials to publish a version containing malicious code. When more developers installed the malicious version of the extension, their credentials would also be stolen.

After detecting the threat, GitHub immediately removed the malicious version of the extension and quarantined the employee's device. As an emergency measure, GitHub also immediately rotated all key credentials that might be affected. However, considering the potential threat of the worm, GitHub also needs to continue to analyze logs and monitor subsequent activities to prevent the worm from infecting other systems and stealing more credentials.

Finally, GitHub confirmed that approximately 3,800 internal source code repositories were stolen. GitHub will subsequently release a detailed security investigation report to share its experience.