Git Hub confirms 3,800 internal repos stolen through poisoned VS Code extension as supply chain worm hits Microsoft’s Python SDK | Venture Beat

Overview

Git Hub confirms 3,800 internal repos stolen through poisoned VS Code extension as supply chain worm hits Microsoft’s Python SDK

Git Hub confirmed on May 20 that a poisoned VS Code extension installed on an employee’s device gave attackers access to roughly 3,800 internal repositories at the Microsoft-owned code storage and authorship platform.

Details

The threat group Team PCP, formally tracked by Google Threat Intelligence Group as UNC6780, claimed responsibility and is advertising the stolen repositories for sale starting at $50,000. Git Hub’s assessment: the attacker’s claim is “directionally consistent” with the investigation so far. Trend Micro, Step Security, and Snyk have formally tracked Team PCP across at least seven waves of the Mini Shai-Hulud supply chain worm since March.

The Git Hub breach did not land in isolation. It arrived the same day a new Mini Shai-Hulud wave forged valid cryptographic provenance on 639 malicious npm package versions, one day after attackers compromised a VS Code extension with 2.2 million installs, the same day Wiz discovered Team PCP had compromised Microsoft’s durabletask Python SDK on Py PI, and the same morning Verizon’s 2026 DBIR revealed that 67% of employees access AI tools through non-corporate accounts. Five supply chain surfaces failed in 48 hours. Two more AI-agent attack classes were disclosed the same month that completed the grid. One group connects at least three of them.

Git Hub confirms the breach, names the attack vector, and the attribution trail is long

"Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately," Git Hub posted in a five-post thread on X on May 20. "Our current assessment is that the activity involved exfiltration of Git Hub-internal repositories only. [Emphasis added by Venture Beat] The attacker’s current claims of ~3,800 repositories are directionally consistent with our investigation so far." Git Hub added that critical secrets were rotated overnight with the highest-impact credentials prioritized first.

Git Hub’s confirmation narrows the attack vector to a single employee device but leaves the blast radius expanding. The company has not named the specific extension. Internal repositories contain infrastructure configurations, deployment scripts, staging credentials, and internal API schemas. Source code access at that level is not a data breach. It is an infrastructure intelligence leak.

Dark Web Informer reported that Team PCP’s listing appeared on a hacking forum hours before Git Hub’s initial disclosure, advertising around 4,000 private repositories. Hackmanac independently confirmed the listing. An X account linked to Team PCP, xploitrsturtle 2, posted after Git Hub’s confirmation: “Git Hub knew for hours, they delayed telling you and they won’t be honest in the future. What an amazing run, it’s been an honor to play around with the cats over the past few months.”

Google Threat Intelligence Group formally tracks Team PCP as UNC6780, a financially motivated threat actor specializing in supply chain attacks targeting open-source security utilities and AI middleware. Trend Micro tracked "at least seven confirmed waves" spanning Trivy (March 2026), Checkmarx KICS, Lite LLM, elementary-data, Bitwarden CLI, Tan Stack (May 11), and Mistral AI (May 12). Step Security, Snyk, and Trend Micro assess high confidence on the Trivy, Bitwarden CLI, and Tan Stack waves based on toolchain overlap. Git Hub’s May 20 confirmation that the breach came through a poisoned VS Code extension aligns with the exact attack surface Team PCP weaponized throughout 2026.

Binance co-founder CZ posted immediately: "If you have ANY private repos with plain text secrets or sensitive documents/architectures, immediately rotate your secrets." Mike Riemer, CTO of Ivanti, told Venture Beat in an exclusive interview that Azure’s honeypot network now shows known vulnerabilities exploited in under 90 seconds. Stolen credentials shorten the recon phase that precedes exploitation. Every Git Hub-side secret that reaches a buyer accelerates whichever attack path that buyer was already running.

Hours before Git Hub's disclosure, Endor Labs detected 42 malicious npm packages published between 01:39 and 02:06 UTC on May 19. Socket's broader tracking put the full wave at 639 malicious versions across 323 packages inside Alibaba's @antv data visualization ecosystem, roughly 16 million weekly downloads.

This wave introduced provenance forgery. The worm now calls Fulcio and Rekor at runtime to generate valid Sigstore signing certificates for every package it propagates to. Provenance tooling shows a green badge. The build chain belongs to the attacker. "The attestation proves where the package was built. It does not prove the build was authorized," Endor Labs stated.

Peyton Kennedy, senior security researcher at Endor Labs, told Venture Beat that “Tan Stack had the right setup on paper: OIDC trusted publishing, signed provenance, 2FA on every maintainer account. The attack worked anyway. Each wave has picked a higher-download target and introduced a more technically interesting access vector.”

Late on May 12, vx-underground reported that Team PCP open-sourced the fully weaponized Shai-Hulud worm code. Copycat variants have already appeared, complicating attribution. Kennedy provided Venture Beat a first-pass detection check: run find . -name ‘router_init.js’ -size +1M across project directories and grep for the hash 79ac 49eedf 774dd 4b 0cfa 308722bc 463cfe 5885c in package-lock.json. If either returns a hit, isolate and image the machine before revoking any tokens. The worm’s destructive daemon triggers on revocation.

Git Hub Actions tags redirected to imposter commits the same day

Also on May 19, threat actors compromised the popular Git Hub Actions workflow actions-cool/issues-helper by redirecting every existing tag in the repository to an imposter commit that does not appear in the action’s normal commit history. “That commit contains malicious code that exfiltrates credentials from CI/CD pipelines that run the action,” Step Security researcher Varun Sharma said. Git Hub has since disabled access to the repository.

The exfiltration domain (t.m-kosche[.]com) matches the @antv Mini Shai-Hulud wave, tying the two clusters together. Only workflows pinned to a known-good full commit SHA were unaffected.

The worm jumped to Microsoft’s own Python SDK the same day

Hours after the @antv wave, Wiz detected that Team PCP had compromised durabletask, the official Microsoft Python client for the Durable Task workflow execution framework. Three malicious versions (1.4.1, 1.4.2, and 1.4.3) were published to Py PI within a 35-minute window on May 19. The attack chain was direct: a Git Hub account compromised in a previous Team PCP operation still had access to the microsoft/durabletask-python repository. The attacker dumped Git Hub Secrets, extracted a Py PI publishing token, and pushed the infected releases directly. Py PI quarantined all three versions.

Step Security’s analysis found the payload downloads a 28 KB dropper (rope.pyz) that steals credentials from AWS, Azure, GCP, Kubernetes, and over 90 developer tool configurations, then spreads laterally through cloud infrastructure. The payload skips systems with a Russian locale. The durabletask package averages over 400,000 monthly downloads.

VS Code extensions breached Git Hub itself, and that is not even the first compromise this week

On May 18, attackers published a compromised version of the Nx Console VS Code extension, installed more than 2.2 million times. The malicious version harvested tokens from Git Hub, npm, AWS, Hashi Corp Vault, Kubernetes, and 1 Password, and specifically targeted Claude Code configuration files under ~/.claude/settings.json. The Nx team removed it within 11 minutes. Any developer who opened a workspace between 12:36 and 12:47 UTC ran the credential stealer. One day later, Git Hub confirmed that a different poisoned VS Code extension was the entry point for the 3,800-repo breach of its own internal infrastructure.

As one X user framed it: “Microsoft’s Git Hub was compromised when a Microsoft developer using Microsoft VSCode installed a rogue extension from Microsoft’s VSCode extension library, which is moderated and hosted by Microsoft.” The entire attack chain stayed inside one vendor’s ecosystem. Developers have been reporting malicious VS Code extensions to Microsoft for years. A publicly documented complaint from December 2024 asked Microsoft to fix the marketplace. Eighteen months later, the marketplace was the entry point for a breach of Git Hub itself.

AI coding agents treat trust dialogs as features, not security events

Adversa AI’s Trust Fall research, published May 7, tested Claude Code, Gemini CLI, Cursor CLI, and Copilot CLI. "A repository can ship a configuration that auto-approves and immediately launches an MCP server, no tool call from the agent is required," researcher Rony Utevsky told Dark Reading. All four default to "Yes/Trust." The Managed scope configuration that could lock this down is "rarely used." When Claude Code runs headless through Git Hub Actions, the trust dialog never renders.

Aonan Guan, alongside Johns Hopkins colleagues Zhengyu Liu and Gavin Zhong, typed a malicious instruction into a PR title and watched Anthropic's Claude Code Security Review action post its own API key as a comment. The same prompt injection worked against Gemini CLI Action and Git Hub's Copilot Agent. Anthropic classified it CVSS 9.4 Critical.

Prompt injection reaches eval() through legitimate API calls

Microsoft disclosed CVE-2026-26030 and CVE-2026-25592 on May 7, both critical in Semantic Kernel. The Python SDK flaw let a crafted prompt achieve host-level remote code execution. The . NET SDK flaw turned an accidentally exposed file-transfer helper into a tool the AI model could invoke, enabling sandbox escape from Azure Container Apps.

Social channels deliver the payload where EDR has no signal

Crowd Strike’s 2026 Financial Services Threat Landscape Report, released May 14, quantified identity theft scaling outside developer toolchains. DPRK-nexus actors stole

“Financial services organizations face threats from every direction, and AI is making each of them harder to stop,” Adam Meyers, senior vice president, counter adversary operations at Crowd Strike, said in the report. “Adversaries are using AI to compress the time from initial access to impact, moving through trusted paths faster than legacy defenses can respond.” His 2026 Global Threat Report found 82% of detections in 2025 were malware-free. The average e Crime breakout time fell to 29 minutes, with the fastest observed at 27 seconds.

Riemer told Venture Beat the same dynamic applies to developer toolchains. "Bad guys are pivoting to what's the next weakest link. Let me get somebody's house key, and I can make it through the back door." Stolen developer identities are the house key.

The Verizon 2026 DBIR found that 45% of employees are regular AI users, up from 15% last year, with 67% accessing AI through non-corporate accounts. Third-party involvement in breaches jumped to 48%.

No single surface in this grid qualifies as a zero day. Chained together, they function like one. "I can take a whole bunch of little things and chain them together and get the same level of access," Riemer told Venture Beat. "That's what AI does very, very well."

Team PCP (UNC6780) stole ~3,800 internal repos via poisoned VS Code extension on employee device. Git Hub confirmed May 20. Critical secrets rotated overnight. Listing includes security infra and AI tooling repos

Team PCP (UNC6780) stole ~3,800 internal repos via poisoned VS Code extension on employee device. Git Hub confirmed May 20. Critical secrets rotated overnight. Listing includes security infra and AI tooling repos

Customers cannot audit internal repo contents. Leaked secrets affect every downstream tenant

Customers cannot audit internal repo contents. Leaked secrets affect every downstream tenant

Rotate Git Hub-issued tokens, OAuth app secrets, and Actions OIDC trust relationships

Rotate Git Hub-issued tokens, OAuth app secrets, and Actions OIDC trust relationships

Mini Shai-Hulud wave (May 19). 639 malicious versions per Socket. Stolen maintainer identity generated legitimate Sigstore certs at runtime

Mini Shai-Hulud wave (May 19). 639 malicious versions per Socket. Stolen maintainer identity generated legitimate Sigstore certs at runtime

Provenance check passes. Signing identity is stolen. 16M weekly downloads affected

Provenance check passes. Signing identity is stolen. 16M weekly downloads affected

Stop treating provenance badges as sufficient. Add install-time behavioral analysis. Set minimum Release Age

Stop treating provenance badges as sufficient. Add install-time behavioral analysis. Set minimum Release Age

Nx Console v 18.95.0 (May 18). Stolen contributor token, orphan commit, three exfil channels. Claude Code configs targeted. 2.2M installs

Nx Console v 18.95.0 (May 18). Stolen contributor token, orphan commit, three exfil channels. Claude Code configs targeted. 2.2M installs

Auto-update executes credential stealer silently. No detection category exists

Auto-update executes credential stealer silently. No detection category exists

Pin extension versions. Audit auto-update policy. Review publisher token governance

Pin extension versions. Audit auto-update policy. Review publisher token governance

Trust Fall (Adversa AI). All four CLIs auto-execute untrusted MCP servers with one keypress

Trust Fall (Adversa AI). All four CLIs auto-execute untrusted MCP servers with one keypress

Trust dialog is a feature, not a security event. Headless CI skips dialog entirely

Trust dialog is a feature, not a security event. Headless CI skips dialog entirely

Disable enable All Project Mcp Servers. Require explicit per-server approval

Disable enable All Project Mcp Servers. Require explicit per-server approval

Comment and Control (Johns Hopkins, CVSS 9.4). PR comments processed as agent instructions

Comment and Control (Johns Hopkins, CVSS 9.4). PR comments processed as agent instructions

Malicious .mcp.json runs with runner’s full credentials. Zero human interaction

Malicious .mcp.json runs with runner’s full credentials. Zero human interaction

Gate agent runs to post-merge branches. Review pull_request_target workflows

Gate agent runs to post-merge branches. Review pull_request_target workflows

Semantic Kernel CVE-2026-26030 (9.9) and CVE-2026-25592 (10.0). Prompt injection reaches eval()

Semantic Kernel CVE-2026-26030 (9.9) and CVE-2026-25592 (10.0). Prompt injection reaches eval()

EDR sees approved call. Flat auth plane fails to respect user permissions

EDR sees approved call. Flat auth plane fails to respect user permissions

Upgrade to Python 1.39.4+ / . NET 1.71.0+. Disable auto-invocation

Upgrade to Python 1.39.4+ / . NET 1.71.0+. Disable auto-invocation

Crowd Strike Fin Serv (May 14). Whats App and Linked In as primary vectors. CHOLLIMA doubled and tripled tempo

Crowd Strike Fin Serv (May 14). Whats App and Linked In as primary vectors. CHOLLIMA doubled and tripled tempo

EDR has no signal on social-channel delivery. AI-generated identities at scale

EDR has no signal on social-channel delivery. AI-generated identities at scale

Add Whats App and Linked In to insider-threat playbooks

Add Whats App and Linked In to insider-threat playbooks

Seven surfaces. One group confirmed across at least three of them, with open-sourced tooling enabling copycats across the rest. Kayne Mc Gladrey, IEEE Senior Member, told Venture Beat that organizations are "defaulting to cloning human user profiles for agents, and permission sprawl starts on day one." The compliance frameworks enterprises rely on were written for humans. Agent identities do not appear in any control catalog Mc Gladrey has encountered.

Deep insights for enterprise AI, data, and security leaders

By submitting your email, you agree to our Terms and Privacy Notice.

Key Takeaways

• Git Hub confirms 3,800 internal repos stolen through poisoned VS Code extension as supply chain worm hits Microsoft’s Python SDK

• Git Hub confirmed on May 20 that a poisoned VS Code extension installed on an employee’s device gave attackers access to roughly 3,800 internal repositories at the Microsoft-owned code storage and authorship platform

• The threat group Team PCP, formally tracked by Google Threat Intelligence Group as UNC6780, claimed responsibility and is advertising the stolen repositories for sale starting at $50,000

• The Git Hub breach did not land in isolation

• Git Hub confirms the breach, names the attack vector, and the attribution trail is long