GitHub is currently investigating a significant security incident where over 3,800 internal repositories were reportedly exposed. The breach is attributed to unauthorized access stemming from a compromised employee device, with threat actor group TeamPCP claiming responsibility and listing the data for sale. The company is actively monitoring its infrastructure and has taken steps to mitigate risks.

Key Takeaways

• GitHub is investigating a data breach affecting over 3,800 internal repositories.

• The breach originated from a compromised employee device, linked to a poisoned Visual Studio Code extension.

• Threat actor group TeamPCP is claiming responsibility and has listed the data for sale.

• GitHub has no evidence of customer data compromise outside its internal repositories.

• The company has rotated critical secrets and is prioritizing credential rotation.

Details of the Incident

GitHub confirmed it is investigating unauthorized access to its internal codebases after the threat actor group TeamPCP advertised GitHub's source code and internal organization data for sale on a cybercrime forum. The asking price was reportedly no less than $50,000, with claims of approximately 4,000 repositories being compromised.

TeamPCP stated that this was not a ransom attempt, but rather a sale, with a threat to leak the data for free if no buyer was found. In response, GitHub detected and contained the compromise, which involved an employee device affected by a malicious Microsoft Visual Studio Code extension. As a precautionary measure, GitHub has rotated critical secrets and is prioritizing the rotation of high-impact credentials.

Scope of the Breach

GitHub's current assessment indicates that the exfiltrated data is limited to GitHub's internal repositories only. The attacker's claims of around 3,800 repositories align with the ongoing investigation. The company has assured that it will notify customers through established channels if any impact on customer information stored outside of GitHub's internal systems is discovered.

Associated Threats and Actor

TeamPCP is known for a string of software supply chain attacks. The news of the GitHub breach coincides with TeamPCP's ongoing malware campaign, "Mini Shai-Hulud," which has compromised the Python package. This package, an official Microsoft Python client, had three malicious versions published. Security researchers noted that the attacker gained access to a GitHub account, dumped secrets from a repository, and subsequently obtained a PyPi token to publish malicious code.

The payload within the compromised package is designed to steal credentials for major cloud providers, password managers, and developer tools, exfiltrating the data to an attacker-controlled domain. The malware also exhibits self-propagation capabilities within cloud environments like AWS and Kubernetes, and includes a destructive payload that triggers under specific system settings.

Ongoing Investigation and Mitigation

GitHub is working diligently to understand the full extent of the breach and has implemented immediate risk mitigation measures. The company's focus remains on securing its internal systems and ensuring the safety of customer data. The investigation is ongoing, and further updates will be provided as necessary.

Sources

• GitHub Breached — Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos, The Hacker News.