One Extension. One Employee. 3,800 Repos. GitHub Just Got Wrecked.
- Rich Washburn
- 4 hours ago
- 4 min read
This is not a data breach story.
I want to be clear about that upfront, because the way this is being covered — GitHub investigating unauthorized access, no evidence of customer impact, monitoring for follow-on activity — makes it sound like a routine security incident. A blip. Something the comms team handles while the engineers clean it up.
That is not what happened here.
What happened here is a case study in the future of cyberwar. And the future looks like a poisoned VS Code extension.
How You Breach GitHub With One Employee
Someone at GitHub installed a malicious Visual Studio Code extension. That's it. That's the breach vector. Not a zero-day in their infrastructure. Not a sophisticated nation-state exploit chain. A developer tool. The kind of thing engineers install dozens of without thinking twice, because VS Code extensions are how you work. The extension was trojanized — meaning it looked and functioned like a legitimate tool while quietly doing something else entirely in the background. What it did was hand the attacker access to the employee's device. And from that device, the attacker — a group called TeamPCP — exfiltrated approximately 3,800 of GitHub's internal repositories.
Source code. Internal tooling. The crown jewels of the platform that hosts the crown jewels of essentially every major software company on Earth.
TeamPCP then posted it for sale on a dark web forum. Asking price: $50,000. One buyer. They claim they'll shred it after the sale — or leak it for free if no buyer is found.
"This is not a ransom," they wrote. "We do not care about extorting GitHub. It looks like our retirement is soon."
The Worm Inside the Story
If that were the whole story, it would be bad enough. But there's a layer underneath that's significantly more alarming. TeamPCP isn't just a smash-and-grab crew. They've been running a coordinated supply chain campaign for months, and the GitHub breach is one node in something much larger. Their malware — which they have, with a straight face, named Mini Shai-Hulud after the planet-devouring sandworm in Dune — is self-replicating.
Here's what it does when it lands on a machine:
It steals credentials for every major cloud provider. It dumps 1Password and Bitwarden vaults. It reads SSH keys, Docker credentials, VPN configs, and shell history. It harvests HashiCorp Vault secrets.
Then it propagates.
If it's running inside AWS, it uses AWS Systems Manager to push itself to up to five other EC2 instances per profile. If it's inside Kubernetes, it propagates through kubectl exec. It doesn't need a new vulnerability to spread — it uses the legitimate infrastructure of the environment it's already inside. And it hides its command-and-control server address inside GitHub's own public commit messages, encoded in base64. The platform is being used as its own attack infrastructure.
One more detail, because you need to know this: the malware checks for Israeli or Iranian system settings. If it finds them, there's a one-in-six chance it plays audio and then executes rm -rf / — a full system wipe. That is not a bug. That is a statement.
The Bigger Problem Nobody's Naming
The developer toolchain is now a weapons delivery system.
This is the thing that needs to be said clearly, because the industry keeps dancing around it. We have spent decades building the most sophisticated software development ecosystem in human history — package managers, extension marketplaces, open source repositories, CI/CD pipelines, container registries — and we have built essentially all of it on an honor system.
You install a VS Code extension because it has good reviews and a reasonable name. You pip install a package because it's the one the tutorial told you to use. You pull a container image because it's the official one. At every step, you are trusting that what you're getting is what it says it is.
TeamPCP's campaign — which has already hit TanStack, Mistral AI, Guardrails AI, Microsoft's own durabletask Python client, and now GitHub itself — is a systematic exploitation of that trust. They compromise one account. They use that account's tokens to publish a malicious package version. That version gets pulled automatically by every pipeline that depends on it. Each infected environment yields new credentials, which yield new compromises, which yield new credentials. The worm eats itself forward through the entire ecosystem. And the durabletask package — the Microsoft Python client for workflow orchestration — gets downloaded roughly 417,000 times a month. The malicious code runs automatically the moment the package is imported. No error messages. No visible signs of compromise. You don't know you've been hit until something downstream goes wrong.
What This Means
Here's the strategic read, because this isn't just a cybersecurity story.
GitHub hosts the source code for the infrastructure of the modern world. Banking systems. Healthcare platforms. Defense contractors. Government agencies. Every major cloud provider. If the internal GitHub repos contain credentials, API keys, or architectural details that provide lateral access into those environments — and they almost certainly do — the blast radius of this breach is not yet known.
GitHub says there's no evidence of impact to customer repositories. That statement is true and also not the right question. The right question is what was in those 3,800 internal repos, and what doors those contents open.
The defenders are working the problem. GitHub has rotated critical credentials and is monitoring for follow-on activity. That's the right move. But the attackers have been inside for hours, the data is already exfiltrated, and it's currently sitting on a dark web forum with a price tag on it.
One employee. One extension. 3,800 repos.
This is the threat model now.
Rich Washburn is an AI strategist and cybersecurity professional who has spent decades in digital forensics and infrastructure. He believes the most dangerous attack surface in 2026 is the developer's own toolchain.