Skip to main content
Emerging ThreatsData Breaches

GitHub Probes Breach Claim by TeamPCP Hackers

Brightly-lit tech office interior with employees at desks and a large window in the background.

About 3,800 GitHub-internal repositories are "directionally consistent" with a claim from the threat actor TeamPCP that it has exfiltrated roughly 4,000 of the platform's internal repositories and listed the source code for sale for no less than $50,000.

GitHub's initial findings and containment actions

GitHub said it detected and contained a compromise of an employee device that involved a poisoned Microsoft Visual Studio Code extension. The company reported rotating critical secrets as a risk-mitigation measure and said it is "prioritizing highest-impact credentials." In a public update GitHub said, "Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only," and added that it currently has "no evidence of impact to customer information stored outside of GitHub's internal repositories (such as our customers' enterprises, organizations, and repositories)." The company also said it will notify customers via established incident response and notification channels if any impact is discovered.

TeamPCP's public claims and posture

TeamPCP posted the listing for GitHub's source code and internal organizations on a cybercrime forum and set an asking price of at least $50,000. In the forum post, the group said, "As always, this is not a ransom... 1 buyer and we shred the data on our end, it looks like our retirement is soon so if no buyer is found, we leak it for free," according to screenshots shared by Dark Web Informer. An X account linked to TeamPCP, xploitrsturtle2, wrote: "GitHub knew for hours, they delayed telling you and they won't be honest in the future. What an amazing run, it's been an honor to play around with the cats over the past few months."

Durabletask compromise and Mini Shai-Hulud expansion

The disclosure arrived as TeamPCP's self-replicating malware campaign, called Mini Shai-Hulud, continued to spread. Researchers identified three malicious versions of durabletask, an official Microsoft Python client for the Durable Task workflow execution framework: 1.4.1, 1.4.2, and 1.4.3. Google-owned Wiz described the chain of events in one installation as the attacker having "compromised a GitHub account via a previous attack, dumped GitHub secrets from a repository to which the user had access, and from there had access to the PyPi token to publish directly."

Payload behavior, propagation, and capabilities

Researchers described the payload embedded in the compromised durabletask packages as a dropper that fetches and runs a second-stage payload named "rope.pyz" from an external server at "check.git-service[.]com." The malware is assessed to be an evolution of the payload used in the earlier compromise of the guardrails-ai package and is designed to activate a full-featured infostealer capable of harvesting credentials for major cloud providers, password managers, and developer tools and exfiltrating them to an attacker-controlled domain.

SafeDep reported the 28KB Python stealer attempts to read HashiCorp Vault KV secrets, unlock and dump 1Password and Bitwarden vaults, and access SSH keys, Docker credentials, VPN configurations, and shell history. Endor Labs researcher Peyton Kennedy noted the package is "downloaded roughly 417,000 times a month, and the malicious code runs automatically the moment the package is imported, with no error messages and no visible signs of compromise."

Researchers described propagation mechanisms tailored to infected environments. Aikido Security wrote: "If the machine is running inside AWS, it propagates itself to other EC2 instances using SSM. If it's inside Kubernetes, it propagates through kubectl exec," and added a striking behavior: "if it detects Israeli or Iranian system settings, there's a 1-in-6 chance it plays audio and then runs rm -rf /*." StepSecurity detailed the SSM abuse: "After enumerating SSM-managed instances, it uses SendCommand with the AWS-RunShellScript document to execute the rope.pyz payload on up to 5 other EC2 instances per profile." The propagation script downloads the payload from a primary C2, falling back to a secondary domain t.m-kosche[.]com, StepSecurity reported.

Analysts also flagged a resilience mechanism for command-and-control discovery known as FIRESCALE: the malware searches GitHub public commit messages for the pattern "FIRESCALE <base64_url>.<base64_signatue>" and extracts a backup C2 address. Hunt.io had previously highlighted details of this technique.

What this means for technologists, open-source maintainers, and enterprises

  • Technologists and security teams: The immediate actions GitHub took — containing the device, rotating critical secrets and prioritizing high-impact credentials — reflect the kind of incident response companies cited in this case. Teams that pulled packages or imported durabletask should treat affected machines and pipelines as fully compromised, given the stealer's automatic execution upon import.
  • Open-source maintainers and package repositories: The chain described by Wiz — a compromised account leading to dumped secrets and a PyPI token publish — underscores how attacker access to a single set of credentials can be used to push malicious versions. The malware's FIRESCALE fallback and token-stealing propagation increase the risk that the number of affected packages will grow.
  • Affected enterprises and procurement leaders: With GitHub currently assessing exfiltration limited to internal repositories, enterprises should watch for any customer notifications and review whether internal automation or CI/CD processes used GitHub-internal artifacts or tokens that could have been exposed.

GitHub maintains it will notify customers through established channels if further impact is discovered. TeamPCP's public posture — offering source code for sale, threatening a public leak if unsold — and the ongoing spread of Mini Shai-Hulud through popular packages leave open the prospect that this incident will ripple further across software supply chains and cloud environments.

Original story: GitHub Investigating TeamPCP Claimed Breach of ~4,000 Internal Repositories — The Hacker News