On May 20, GitHub revealed that a malicious VS Code extension installed on an employee’s device allowed attackers to gain access to approximately 3,800 internal repositories on the Microsoft-owned platform.
The cybercriminal group TeamPCP, identified by the Google Threat Intelligence Group as UNC6780, has claimed responsibility for the breach. They are reportedly selling the compromised repositories starting at $50,000. According to GitHub, the attacker’s assertions align with their investigation results so far. Organizations such as Trend Micro, StepSecurity, and Snyk have tracked TeamPCP in seven instances of the Mini Shai-Hulud supply chain worm since March.
This security breach at GitHub was part of a larger series of attacks. On the same day, a new wave of the Mini Shai-Hulud worm compromised 639 npm package versions. A day before, a VS Code extension with 2.2 million installs was compromised, and TeamPCP was found to have infiltrated Microsoft’s durabletask Python SDK on PyPI. Additionally, Verizon’s 2026 DBIR reported that 67% of employees use AI tools without corporate oversight. In 48 hours, five supply chain vulnerabilities were exploited. Two additional AI-agent attack types surfaced that month, connecting at least three attack vectors to a single group.
GitHub confirms breach, identifies attack vector, and traces the attribution
“Yesterday, we identified and contained an employee device compromise involving a malicious VS Code extension. We promptly removed the harmful extension, isolated the endpoint, and initiated incident response,” GitHub announced in a series of posts on X on May 20. “Our current evaluation suggests that only GitHub-internal repositories were affected. The attacker’s claim of ~3,800 repositories aligns with our investigation.” GitHub further stated they rotated critical secrets overnight, prioritizing the most impactful credentials first.
While GitHub has traced the attack to a single employee device, the scope of the breach is expanding. The company has not specified which extension was involved. Internal repositories comprise infrastructure setups, deployment scripts, staging credentials, and internal API schemas. Access to source code at this level constitutes an infrastructure intelligence leak rather than a data breach.
Dark Web Informer reported TeamPCP’s listing on a hacking forum prior to GitHub’s disclosure, advertising around 4,000 private repositories. Hackmanac also confirmed this listing. An X account associated with TeamPCP, xploitrsturtle2, posted after GitHub’s confirmation: “GitHub knew for hours, delayed informing you, and won’t be truthful in the future. It’s been an honor to engage with the community over these months.”
The Google Threat Intelligence Group recognizes TeamPCP as UNC6780, a financially motivated threat actor known for targeting supply chain attacks against open-source security tools and AI middleware. Trend Micro has tracked “at least seven confirmed waves” involving Trivy (March 2026), Checkmarx KICS, LiteLLM, elementary-data, Bitwarden CLI, TanStack (May 11), and Mistral AI (May 12). StepSecurity, Snyk, and Trend Micro have high confidence in the Trivy, Bitwarden CLI, and TanStack waves due to toolchain similarities. GitHub’s confirmation on May 20 that the breach was due to a poisoned VS Code extension matches the attack surface exploited by TeamPCP in 2026.
Binance co-founder CZ urged: “If you possess ANY private repositories with plain text secrets or sensitive documents/architectures, rotate your secrets immediately.” Mike Riemer, CTO of Ivanti, shared with VentureBeat that Azure’s honeypot network now shows known vulnerabilities being exploited in under 90 seconds. Stolen credentials reduce the reconnaissance phase before exploitation. Any GitHub-side secret that is sold speeds up the attack path the buyer was already using.
The worm that creates its own provenance badge
Before GitHub’s announcement, Endor Labs detected 42 harmful npm packages published between 01:39 and 02:06 UTC on May 19. Socket’s extended tracking revealed 639 malicious versions across 323 packages within Alibaba’s @antv data visualization ecosystem, accounting for roughly 16 million weekly downloads.
This wave introduced provenance forgery. The worm now calls Fulcio and Rekor during runtime to create legitimate Sigstore signing certificates for each package it propagates. Provenance tools display a green badge. The build chain is controlled by the attacker. “The attestation shows where the package was built. It does not confirm the build was authorized,” Endor Labs commented.
Peyton Kennedy, senior security researcher at Endor Labs, told VentureBeat that “TanStack had the right setup on paper: OIDC trusted publishing, signed provenance, 2FA on every maintainer account. Yet, the attack succeeded. Each wave has targeted higher-download projects and introduced a more sophisticated access vector.”
On May 12, vx-underground reported that TeamPCP released the fully weaponized Shai-Hulud worm code as open source. Copycat variants have already emerged, complicating attribution efforts. Kennedy provided VentureBeat with a basic detection check: execute find . -name ‘router_init.js’ -size +1M in project directories and grep for the hash 79ac49eedf774dd4b0cfa308722bc463cfe5885c in package-lock.json. If either returns a result, isolate and image the system before revoking any tokens. The worm’s destructive daemon activates upon revocation.
GitHub Actions tags redirected to fake commits on the same day
On May 19, threat actors compromised the popular GitHub Actions workflow actions-cool/issues-helper by redirecting every existing tag in the repository to a fake commit that does not appear in the action’s usual commit history. “That commit includes malicious code that extracts credentials from CI/CD pipelines using the action,” StepSecurity researcher Varun Sharma noted. GitHub has since disabled access to the repository.
The domain used for exfiltration (t.m-kosche[.]com) matches the @antv Mini Shai-Hulud wave, linking the two clusters. Only workflows pinned to a known-good full commit SHA were unaffected.
The worm spread to Microsoft’s own Python SDK the same day
After the @antv wave, Wiz discovered that TeamPCP had compromised durabletask, Microsoft’s official Python client for the Durable Task workflow execution framework. Three harmful versions (1.4.1, 1.4.2, and 1.4.3) were uploaded to PyPI within a 35-minute timeframe on May 19. The attack chain was direct: a GitHub account compromised in a previous TeamPCP operation still had access to the microsoft/durabletask-python repository. The attacker extracted GitHub Secrets, obtained a PyPI publishing token, and uploaded the infected versions directly. PyPI quarantined all three versions.
StepSecurity’s analysis determined that the payload downloads a 28 KB dropper (rope.pyz) that steals credentials from AWS, Azure, GCP, Kubernetes, and over 90 developer tool configurations, then spreads laterally through cloud infrastructure. The payload avoids systems with a Russian locale. The durabletask package averages over 400,000 monthly downloads.
VS Code extensions compromised GitHub itself, and it’s not the first incident this week
On May 18, attackers uploaded a compromised version of the Nx Console VS Code extension, which had been installed over 2.2 million times. The harmful version stole tokens from GitHub, npm, AWS, HashiCorp Vault, Kubernetes, and 1Password, specifically targeting Claude Code configuration files in ~/.claude/settings.json. The Nx team removed it within 11 minutes. Any developer who opened a workspace between 12:36 and 12:47 UTC triggered the credential stealer. The following day, GitHub confirmed that another poisoned VS Code extension served as the entry point for the breach of its internal infrastructure.
One X user highlighted: “Microsoft’s GitHub was compromised when a Microsoft developer using Microsoft VSCode installed a rogue extension from Microsoft’s VSCode extension library, which is moderated and hosted by Microsoft.” The entire attack chain remained within one vendor’s ecosystem. Developers have been alerting Microsoft about malicious VS Code extensions for years. A documented complaint from December 2024 requested Microsoft to address marketplace issues. Eighteen months later, the marketplace was the entry point for a breach of GitHub itself.
AI coding agents view trust dialogs as features, not security events
Adversa AI’s TrustFall research, released on May 7, evaluated Claude Code, Gemini CLI, Cursor CLI, and Copilot CLI. “A repository can ship a configuration that auto-approves and launches an MCP server immediately, without any tool call from the agent,” researcher Rony Utevsky told Dark Reading. All four default to “Yes/Trust.” The Managed scope configuration that could restrict this is “rarely used.” When Claude Code runs headless through GitHub Actions, the trust dialog is not displayed.
PR comments turned into agent instructions
Aonan Guan, in collaboration with Johns Hopkins colleagues Zhengyu Liu and Gavin Zhong, inserted a malicious directive into a PR title and observed Anthropic’s Claude Code Security Review action posting its own API key as a comment. The same prompt injection was effective against Gemini CLI Action and GitHub’s Copilot Agent. Anthropic rated it as CVSS 9.4 Critical.
Prompt injection reaches eval() via legitimate API calls
On May 7, Microsoft reported CVE-2026-26030 and CVE-2026-25592, both critical in Semantic Kernel. The Python SDK flaw allowed a crafted prompt to achieve host-level remote code execution. The .NET SDK flaw transformed an accidentally exposed file-transfer helper into a tool the AI model could call, enabling escape from Azure Container Apps.
Social channels convey payloads where EDR has no signal
CrowdStrike’s 2026 Financial Services Threat Landscape Report, released on May 14, quantified identity theft activities outside developer toolchains. DPRK-nexus actors stole $2.02 billion in digital assets in 2025, representing a 51% increase from the previous year. PRESSURE CHOLLIMA carried out the largest single financial theft ever reported: $1.46 billion through trojanized software distributed via supply chain compromise. FAMOUS CHOLLIMA doubled its operations using AI-generated identities. STARDUST CHOLLIMA tripled its pace. The primary delivery methods: WhatsApp and LinkedIn, where EDR has no signal.
“Financial services organizations face threats from all directions, and AI makes each of them harder to prevent,” Adam Meyers, senior vice president, counter adversary operations at CrowdStrike, explained in the report. “Adversaries are using AI to reduce the time from initial access to impact, navigating trusted paths faster than legacy defenses can respond.” His 2026 Global Threat Report indicated that 82% of detections in 2025 were malware-free. The average eCrime breakout time dropped to 29 minutes, with the quickest observed at 27 seconds.
Riemer shared with VentureBeat that the same trend applies to developer toolchains. “Bad actors are shifting to the next weakest link. If I have someone’s house key, I can enter through the back door.” Stolen developer identities are the key.
Shadow AI usage tripled within a year
The Verizon 2026 DBIR reported that 45% of employees are regular AI users, up from 15% the previous year, with 67% accessing AI via non-corporate accounts. Third-party involvement in breaches rose to 48%.
The Developer Tool Stolen-Identity Audit Grid
No single surface in this grid qualifies as a zero day. When combined, they function like one. “I can combine many small things and chain them together to achieve the same level of access,” Riemer mentioned to VentureBeat. “That’s what AI does exceptionally well.”
|
Surface
|
Incident / Vector
|
Visibility Gap
|
Recommended Action
|
|
GitHub internal repositories
|
TeamPCP (UNC6780) stole ~3,800 internal repos via poisoned VS Code extension on an employee device. GitHub confirmed on May 20. Critical secrets rotated overnight. Listing includes security infra and AI tooling repos
|
Customers cannot audit internal repo contents. Leaked secrets affect every downstream tenant
|
Rotate GitHub-issued tokens, OAuth app secrets, and Actions OIDC trust relationships
|
|
npm provenance verification
|
Mini Shai-Hulud wave (May 19). 639 malicious versions per Socket. Stolen maintainer identity generated legitimate Sigstore certs at runtime
|
Provenance check passes. Signing identity is stolen. 16M weekly downloads affected
|
Stop treating provenance badges as sufficient. Add install-time behavioral analysis. Set minimumReleaseAge
|
|
VS Code extension auto-update
|
Nx Console v18.95.0 (May 18). Stolen contributor token, orphan commit, three exfil channels. Claude Code configs targeted. 2.2M installs
|
Auto-update executes credential stealer silently. No detection category exists
|
Pin extension versions. Audit auto-update policy. Review publisher token governance
|
|
AI coding agent CLI trust dialog
|
TrustFall (Adversa AI). All four CLIs auto-execute untrusted MCP servers with one keypress
|
Trust dialog is a feature, not a security event. Headless CI skips dialog entirely
|
Disable enableAllProjectMcpServers. Require explicit per-server approval
|
|
CI/CD pipeline agent execution
|
Comment and Control (Johns Hopkins, CVSS 9.4). PR comments processed as agent instructions
|
Malicious .mcp.json runs with runner’s full credentials. Zero human interaction
|
Gate agent runs to post-merge branches. Review pull_request_target workflows
|
|
AI agent framework eval() path
|
Semantic Kernel CVE-2026-26030 (9.9) and CVE-2026-25592 (10.0). Prompt injection reaches eval()
|
EDR sees approved call. Flat auth plane fails to respect user permissions
|
Upgrade to Python 1.39.4+ / .NET 1.71.0+. Disable auto-invocation
|
|
Out-of-band delivery
|
CrowdStrike FinServ (May 14). WhatsApp and LinkedIn as primary vectors. CHOLLIMA doubled and tripled tempo
|
EDR has no signal on social-channel delivery. AI-generated identities at scale
|
Add WhatsApp and LinkedIn to insider-threat playbooks
|
Seven surfaces were affected. One group was confirmed across at least three of them, with open-source tools enabling imitations across the others. Kayne McGladrey, IEEE Senior Member, stated to VentureBeat that organizations are “defaulting to cloning human user profiles for agents, and permission sprawl starts on day one.” Compliance frameworks relied upon by enterprises were designed for humans. Agent identities do not appear in any control catalog McGladrey has encountered.
