GitHub is currently delving into a potential security breach after the notorious cyber group, TeamPCP, claimed to have accessed the platform’s internal repositories. This revelation emerged as TeamPCP advertised GitHub’s source code and internal data for sale on a dark web forum.
TeamPCP’s Involvement in the Security Breach
The cybercrime incident has not affected customer data stored outside GitHub’s internal systems, according to the Microsoft-owned company. However, GitHub is vigilantly monitoring its infrastructure for any subsequent unauthorized activities. Customers will be promptly informed through official channels if any impact on their data is detected.
TeamPCP, already known for targeting open-source software with supply chain attacks, is allegedly demanding $50,000 for the data. The breach reportedly affects approximately 4,000 repositories. The group has stated that they are not interested in extortion, promising to delete the data if a buyer is found, or leak it for free otherwise.
Expansion of TeamPCP’s Malware Campaign
This breach comes amid TeamPCP’s ongoing malware operations, notably the Mini Shai-Hulud campaign, which has recently compromised the durabletask PyPI package. This software is an official Python client of Microsoft’s Durable Task framework, and the attack has resulted in three malicious versions: 1.4.1, 1.4.2, and 1.4.3.
The malware uses a dropper to deploy a second-stage payload from an external domain. This payload is an advanced infostealer targeting credentials from cloud providers, password managers, and developer tools, which are then sent to a domain controlled by the attackers. The malware is specifically designed to affect Linux systems.
Widespread Impact and Propagation Techniques
According to SafeDep, the malicious code can extract sensitive data, including HashiCorp Vault secrets and password vaults from platforms like 1Password and Bitwarden. It can also access SSH keys and Docker credentials. The worm has mechanisms to spread within AWS and Kubernetes environments, utilizing SSM and kubectl exec, respectively.
The malware employs a unique FIRESCALE mechanism to find backup command-and-control servers if the primary domain becomes unreachable. This technique involves scanning GitHub’s public commit messages for specific patterns to extract the necessary information.
The widespread use of the durabletask package, downloaded approximately 417,000 times monthly, means that many systems could be affected. Any system that has imported an infected version should be considered compromised, as the malware operates silently without any error messages or obvious indicators.
The situation highlights the ongoing threat of cyber attacks on software supply chains and the importance of robust security measures to protect internal and customer data.
