\n<\/p>\n
A so-called software supply chain attack<\/a>, in which hackers corrupt a legitimate piece of software to hide their own malicious code, was once a relatively rare event but one that haunted the cybersecurity world with its insidious threat of turning any innocent application into a dangerous foothold in a victim\u2019s network. Now one group of cybercriminals<\/a> has turned that occasional nightmare into a near-weekly episode, corrupting hundreds of open source tools, extorting victims for profit, and sowing a new level of distrust in an entire ecosystem used to create the world\u2019s software.<\/p>\n On Tuesday night, open source code platform GitHub announced that it had been breached by hackers in one such software supply chain attack: A GitHub developer had installed a \u201cpoisoned\u201d extension for VSCode, a plug-in for a commonly used code editor that, like GitHub itself, is owned by Microsoft. As a result, the hackers behind the breach, an increasingly notorious group called TeamPCP, claim to have accessed around 4,000 of GitHub\u2019s code repositories. GitHub\u2019s statement confirmed that it had found at least 3,800 compromised repositories while noting that, based on its findings so far, they all contained GitHub\u2019s own code, not that of customers.<\/p>\n \u201cWe are here today to advertise GitHub\u2019s source code and internal orgs for sale,\u201d TeamPCP wrote on BreachForums, a forum and marketplace for cybercriminals. \u201cEverything for the main platform is there and I very am happy to send samples to interested buyers to verify absolute authenticity.\u201d<\/p>\n The GitHub breach is just the latest incident in what has become the longest-running spree of software supply chain attacks ever, with no end in sight. According to cybersecurity firm Socket, which focuses on software supply chains, TeamPCP has, in just the last few months, carried out 20 \u201cwaves\u201d of supply chain attacks that have hidden malware in more than 500 distinct pieces of software, or well over a thousand counting all of the various versions of the code that TeamPCP has hijacked.<\/p>\n Those tainted pieces of code have allowed TeamPCP\u2019s hackers to breach hundreds of companies that installed the software, says Ben Read, who leads strategic threat intelligence at the cloud security firm Wiz. GitHub is only the latest on the group\u2019s long list of victims, which has also included AI firm OpenAI and the data contracting firm Mercor. \u201cIt may be their biggest one,” Read says of the GitHub breach. \u201cBut each one of these is a big deal for the company that it happens to. It’s not qualitatively different from the 14 breaches that happened last week.\u201d<\/p>\n TeamPCP\u2019s core tactic has become a kind of cyclical exploitation of software developers: The hackers gain access to a network where an open source tool commonly used by coders is being developed\u2014for example, the VSCode extension that led to the GitHub breach or the data visualization software AntV that TeamPCP hijacked earlier this week. The hackers plant malware in the tool that ends up on other software developers\u2019 machines, including some who are writing other tools intended to be used by coders.<\/p>\n The malware allows TeamPCP\u2019s hackers to steal credentials that let them publish malicious versions of those<\/em> software development tools, too. The cycle repeats, and TeamPCP\u2019s collection of breached networks grows. \u201cIt\u2019s a flywheel of supply chain compromises,\u201d says Read. \u201cIt\u2019s self-perpetuating, and it\u2019s been a hugely successful way to get access to networks and steal stuff.\u201d<\/p>\n Most recently, the group appears to have automated many of its software supply chain attacks with a self-spreading worm that\u2019s come to be known as Mini Shai-Hulud. The name comes from GitHub repositories the worm creates that include encrypted credentials stolen from victims, each of which includes the phrase \u201cA Mini Shai-Hulud Has Appeared\u201d along with a handful of other references to the sci-fi novel Dune<\/em>. That message in turn appears to be a reference not just to Dune<\/em>\u2019s sandworms but to a similar supply chain compromise worm known as Shai-Hulud that appeared in September<\/a>, though there\u2019s no evidence TeamPCP was behind that earlier self-spreading malware.<\/p>\n<\/div>\n