Supply Chain Attack: TeamPCP Breaches GitHub Internal Codebase via Poisoned VS Code Extension
What Happened – TeamPCP (aka UNC6780) leveraged a malicious Visual Studio Code extension to gain access to GitHub’s internal repositories, exfiltrating roughly 3,800 private codebases. GitHub confirmed the breach, removed the extension, isolated the endpoint, and began rotating critical secrets.
Why It Matters for TPRM –
- A compromised upstream development tool can expose proprietary source code and secret credentials across the software supply chain.
- Third‑party SaaS platforms that host code (e.g., GitHub, GitLab, Bitbucket) become high‑value targets for supply‑chain actors.
- Ongoing investigations may reveal downstream impact on customers that integrate GitHub‑hosted components.
Who Is Affected – Technology / SaaS providers, cloud‑hosted development platforms, enterprises relying on open‑source libraries published through GitHub.
Recommended Actions –
- Review contracts and security clauses with code‑hosting SaaS vendors.
- Verify that your organization enforces strict extension vetting and disables auto‑install of VS Code extensions.
- Request evidence of secret‑rotation procedures and post‑breach hardening from the vendor.
Technical Notes – The attack vector was a poisoned VS Code extension (third‑party dependency) that executed with full developer‑machine privileges, allowing credential theft and repository access. No public CVE is associated, but the incident underscores the risk of supply‑chain malware. Source: https://www.helpnetsecurity.com/2026/05/20/github-breached-teampcp/