Hacker Group TeamPCP Launches Unprecedented Open Source Poisoning Campaign
Original: A hacker group is poisoning open source code at an unprecedented scale
Why This Matters
Unprecedented scale of supply chain attacks threatens trust in open source ecosystem
TeamPCP hackers have compromised over 500 open source software packages in recent months, breaching GitHub and accessing 3,800 repositories through a poisoned VSCode extension. The group targets developers to create cyclical supply chain attacks.
GitHub confirmed Tuesday it was breached when a developer installed a malicious VSCode extension created by TeamPCP hackers. The attack compromised around 3,800 GitHub repositories containing the company's own code. TeamPCP is advertising GitHub's source code for sale on BreachForums cybercriminal marketplace. According to cybersecurity firm Socket, TeamPCP has executed 20 waves of supply chain attacks in recent months, poisoning over 500 distinct software packages and over 1,000 code versions. The group has breached hundreds of companies including OpenAI and Mercor. TeamPCP uses cyclical tactics, gaining access to networks developing open source tools commonly used by developers, then planting malware to spread to other organizations. Wiz's Ben Read calls it the longest-running software supply chain attack spree ever.