GitHub Breach Exposes 3,800 Repos: Supply Chain Attacks Intensify

GitHub has officially confirmed that a sophisticated supply chain attack compromised its internal repositories, resulting in the exfiltration of approximately 3,800 repositories by the cybercriminal group known as TeamPCP. The breach originated from a poisoned version of the Nx Console Visual Studio Code extension (nrwl.angular-console), which was compromised after one of its developers' systems was hacked following the recent TanStack supply chain attack. GitHub has since rotated critical secrets and is actively monitoring for follow-on activity. The incident is linked to the broader "Mini Shai-Hulud" campaign, and TeamPCP's public release of the Shai-Hulud code has created a ready-made blueprint for attackers targeting open-source repositories and developer environments. Organizations should verify their exposure using tools like our email breach checker to determine if their credentials were part of any compromised codebase.

The TanStack supply chain compromise has rippled across the technology sector, affecting multiple high-profile companies including OpenAI, Mistral AI, and Grafana Labs. Notably, Grafana Labs faced an extortion attempt from the attackers, who threatened to release the company's codebase. The company firmly refused to pay the ransom, demonstrating a growing trend of organizations resisting cybercriminals' demands. This incident highlights the cascading nature of supply chain attacks, where a single compromise can expose dozens of downstream victims. Security teams should implement continuous monitoring and use our SSL/TLS checker to ensure their development infrastructure remains properly secured against similar vectors.

In a separate action, Microsoft announced the takedown of Fox Tempest, a cyber threat actor that operated as a key enabler in the malware and ransomware supply chain. Fox Tempest provided tools and infrastructure to power Rhysida ransomware attacks, as well as infections involving Oyster, Lumma Stealer, and Vidar malware families. The group's most dangerous offering was a fraudulent code-signing service that allowed cybercriminals to deploy malware with legitimate digital signatures, effectively bypassing security controls and deploying threats "through the front door." This takedown represents a significant blow to the ransomware ecosystem, disrupting operations that have targeted organizations across multiple industries globally.