
On May 20, GitHub confirmed that a poisoned VS Code extension installed on an employee’s device allowed attackers to gain access to approximately 3,800 internal repositories on the Microsoft-owned platform. The threat group TeamPCP, also known as UNC6780, claimed responsibility for the breach and is offering the stolen repositories for sale starting at $50,000. GitHub’s investigation aligns with the attacker’s claims so far. Various security firms, including Trend Micro, StepSecurity, and Snyk, have been tracking TeamPCP across multiple supply chain attacks since March.
The GitHub breach was part of a larger wave of attacks, including the compromise of malicious npm packages, a VS Code extension with millions of installs, and the compromise of Microsoft’s durabletask Python SDK on PyPI. The breach highlights the vulnerabilities in supply chain security, with attackers exploiting various attack surfaces.
GitHub’s response and the aftermath
GitHub contained the compromise and removed the malicious extension, but the blast radius of the breach continues to expand. The company has not disclosed the specific extension involved in the attack. While accessing source code is not considered a data breach, the leak of internal repositories poses a significant risk to infrastructure security.
Dark Web sources reported the listing of the stolen repositories before GitHub’s official disclosure, with TeamPCP’s involvement confirmed by various security firms. Binance co-founder CZ urged users to rotate their secrets if they had private repositories with sensitive information. The attack vector used by TeamPCP aligns with their previous supply chain attacks targeting open-source security utilities and AI middleware.
Endor Labs detected a wave of malicious npm packages with forged provenance badges, indicating a sophisticated attack technique. The worm responsible for the attack now generates valid signing certificates for each package it propagates. The attack highlights the need for robust security measures to prevent such incidents.
In addition to the GitHub breach, threat actors compromised the popular GitHub Actions workflow actions-cool/issues-helper and redirected existing tags to imposter commits. The same day, TeamPCP targeted Microsoft’s durabletask Python SDK on PyPI, further demonstrating the group’s ability to exploit vulnerabilities across multiple platforms.
PyPI has put all three versions in quarantine.
StepSecurity’s analysis discovered that the payload downloads a 28 KB dropper (rope.pyz) that steals credentials from AWS, Azure, GCP, Kubernetes, and over 90 developer tool configurations, and then spreads through cloud infrastructure. The payload avoids systems with a Russian locale. The durabletask package has an average of over 400,000 monthly downloads.
VS Code extensions compromised GitHub itself, and this is not the first compromise this week
Attackers published a compromised version of the Nx Console VS Code extension on May 18, which had been installed over 2.2 million times. The malicious version harvested tokens from GitHub, npm, AWS, HashiCorp Vault, Kubernetes, and 1Password, specifically targeting Claude Code configuration files under ~/.claude/settings.json. The Nx team removed the compromised version within 11 minutes. A day later, GitHub confirmed that a different poisoned VS Code extension was the entry point for a breach of its internal infrastructure involving 3,800 repositories.
As one user put it: “Microsoft’s GitHub was compromised when a Microsoft developer using Microsoft VSCode installed a rogue extension from Microsoft’s VSCode extension library, which is moderated and hosted by Microsoft.” The entire attack chain remained within one vendor’s ecosystem. Malicious VS Code extensions have been reported to Microsoft by developers for years. A documented complaint from December 2024 requested Microsoft to address issues in the marketplace. Eighteen months later, the marketplace was used as the entry point for a breach of GitHub.
AI coding agents view trust dialogs as features, not security events
Adversa AI’s TrustFall research, published on May 7, tested Claude Code, Gemini CLI, Cursor CLI, and Copilot CLI. According to researcher Rony Utevsky, “A repository can ship a configuration that auto-approves and immediately launches an MCP server, no tool call from the agent is required.” All four default to “Yes/Trust.” The Managed scope configuration that could prevent this is rarely used. When Claude Code runs headless through GitHub Actions, the trust dialog is not displayed.
PR comments were treated as agent instructions
Aonan Guan, along with Johns Hopkins colleagues Zhengyu Liu and Gavin Zhong, entered a malicious instruction into a PR title and observed Anthropic’s Claude Code Security Review action posting its API key as a comment. The same prompt injection technique worked against Gemini CLI Action and GitHub’s Copilot Agent. Anthropic classified this as a CVSS 9.4 Critical issue.
Prompt injection leads to eval() through legitimate API calls
Microsoft disclosed CVE-2026-26030 and CVE-2026-25592 on May 7, both critical in Semantic Kernel. The Python SDK flaw allowed a crafted prompt to achieve remote code execution at the host level. The .NET SDK flaw turned an accidentally exposed file-transfer helper into a tool that the AI model could invoke, enabling sandbox escape from Azure Container Apps.
Social channels deliver the payload where EDR has no signal
CrowdStrike’s 2026 Financial Services Threat Landscape Report, released on May 14, highlighted the increase in identity theft outside developer toolchains. DPRK-nexus actors stole $2.02 billion in digital assets in 2025, a 51% year-over-year increase. PRESSURE CHOLLIMA conducted the largest single financial theft reported, amounting to $1.46 billion through trojanized software distributed via a supply chain compromise. FAMOUS CHOLLIMA doubled its operations using AI-generated identities, while STARDUST CHOLLIMA tripled its tempo. The primary delivery channels were WhatsApp and LinkedIn, where EDR lacks visibility.
“Financial services organizations face threats from every direction, and AI is making each of them harder to stop,” said Adam Meyers, senior vice president of counter adversary operations at CrowdStrike. “Adversaries are using AI to compress the time from initial access to impact, moving through trusted paths faster than legacy defenses can respond.” The 2026 Global Threat Report found that 82% of detections in 2025 were malware-free, with the average eCrime breakout time reduced to 29 minutes, the fastest observed being 27 seconds.
Riemer, speaking to VentureBeat, noted that the same dynamic applies to developer toolchains. “Bad actors are shifting to exploit the next weakest link. If I can get someone’s house key, I can enter through the back door.” Stolen developer identities serve as the house key.
Shadow AI usage tripled in one year
The Verizon 2026 DBIR revealed that 45% of employees are regular AI users, up from 15% the previous year, with 67% accessing AI through non-corporate accounts. Third-party involvement in breaches increased to 48%.
The Developer Tool Stolen-Identity Audit Grid
While no single aspect in this grid constitutes a zero-day vulnerability, when combined, they act like one. “I can take a whole bunch of little things and chain them together to achieve the same level of access,” explained Riemer to VentureBeat. “That’s what AI does very, very well.”
|
Surface |
Incident / Vector |
Visibility Gap |
Recommended Action |
|
GitHub internal repositories |
TeamPCP (UNC6780) stole ~3,800 internal repos via poisoned VS Code extension on employee device. GitHub confirmed May 20. Critical secrets rotated overnight. Listing includes security infra and AI tooling repos |
Customers cannot audit internal repo contents. Leaked secrets affect every downstream tenant |
Rotate GitHub-issued tokens, OAuth app secrets, and Actions OIDC trust relationships |
|
npm provenance verification |
Mini Shai-Hulud wave (May 19). 639 malicious versions per Socket. Stolen maintainer identity generated legitimate Sigstore certs at runtime |
Provenance check passes. Signing identity is stolen. 16M weekly downloads affected |
Stop treating provenance badges as sufficient. Add install-time behavioral analysis. Set minimumReleaseAge |
|
VS Code extension auto-update |
Nx Console v18.95.0 (May 18). Stolen contributor token, orphan commit, three exfil channels. Claude Code configs targeted. 2.2M installs |
Auto-update executes credential stealer silently. No detection category exists |
Pin extension versions. Audit auto-update policy. Review publisher token governance |
|
AI coding agent CLI trust dialog |
TrustFall (Adversa AI). All four CLIs auto-execute untrusted MCP servers with one keypress |
Trust dialog is a feature, not a security event. Headless CI skips dialog entirely |
Disable enableAllProjectMcpServers. Require explicit per-server approval |
|
CI/CD pipeline agent execution |
Comment and Control (Johns Hopkins, CVSS 9.4). PR comments processed as agent instructions |
Malicious .mcp.json runs with runner’s full credentials. Zero human interaction |
Gate agent runs to post-merge branches. Review pull_request_target workflows |
|
AI agent framework eval() path |
Semantic Kernel CVE-2026-26030 (9.9) and CVE-2026-25592 (10.0). Prompt injection reaches eval() |
EDR sees approved call. Flat auth plane fails to respect user permissions |
Upgrade to Python 1.39.4+ / .NET 1.71.0+. Disable auto-invocation |
|
Out-of-band delivery |
CrowdStrike FinServ (May 14). WhatsApp and LinkedIn as primary vectors. CHOLLIMA doubled and tripled tempo |
EDR has no signal on social-channel delivery. AI-generated identities at scale |
Add WhatsApp and LinkedIn to insider-threat playbooks |
Seven surfaces. One group confirmed across at least three of them, with open-sourced tooling enabling copycats across the rest.
Have you heard what Kayne McGladrey, IEEE Senior Member, said to VentureBeat?
It’s a game changer – organizations are now defaulting to cloning human user profiles for agents, leading to permission sprawl right from the start. The compliance frameworks currently in place were designed with humans in mind, but what about agent identities? According to McGladrey, they’re nowhere to be found in any control catalog he’s come across.
Imagine the implications of this oversight. Are we setting ourselves up for potential risks and vulnerabilities by not properly accounting for agent identities in our security protocols? It’s definitely something to think about as we navigate the ever-evolving landscape of technology and data protection.
