GitHub confirmed that 3,800 internal repositories were breached after an employee installed a malicious VSCode extension from Microsoft’s official marketplace. The TeamPCP hacker group claimed responsibility and is selling the stolen code for at least $50,000.
Browsing: supply-chain
Attackers compromised the npm ‘atool’ account and published 637 malicious versions across 317 packages in 22 minutes, including high-traffic projects like size-sensor and echarts-for-react. The sophisticated payload harvests credentials, establishes persistent backdoors, and exploits GitHub’s infrastructure for command-and-control operations.