Campaigns
TeamPCP Takes Action Against GitHub

TeamPCP Takes Action Against GitHub

TeamPCPUNC6780VS Code extension
TeamPCP compromised a GitHub employee device via a poisoned VS Code extension, exfiltrating approximately 3,800 internal repositories containing GitHub's core platform source code, billing logic, enterprise authentication systems, and security tooling internals. GitHub confirmed the breach on May 19-20, 2026, and has rotated critical secrets. No customer repository impact has been confirmed as of the report date.

Indicators of Compromise

t.m-kosche.com
check.git-service.com

APT Groups1

TeamPcp

TeamPCP is a financially motivated cybercrime group that emerged in late 2025. They specialize in supply chain attacks on cloud-native ecosystems (GitHub Actions, Docker Hub, npm, PyPI, OpenVSX) to inject credential stealers, deploy ransomware, and perform destructive operations. The group has demonstrated advanced automation, cloud-native tactics, and selective wiper behavior.

ShellForcePersy_PCPCipherForcePCPcatDeadCatx3team pcp

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

Remediation
  • Step 1 -- Identify: pip show durabletask on all systems; flag any 1.4.1, 1.4.2, 1.4.3
  • Step 2 -- Remove: pip uninstall durabletask; check /tmp for rope.pyz and delete
  • Step 3 -- Check C2 logs: search network logs for outbound connections to check.git-service[.]com
  • Step 4 -- Treat as compromised: if malicious version was installed, capture memory dump before remediation; rotate all credentials on the host
  • Step 5 -- Reinstall clean: pin to durabletask==1.4.0 or await Microsoft's official patched release

Downstream Risk -- Internal Source Code Exposure

Even without direct customer data access, the exfiltrated GitHub source code creates sustained downstream risk for the ecosystem:

  • Secret scanning evasion: Exfiltrated secret_scanning*.rb files reveal GitHub's detection patterns -- adversaries can craft secrets that evade automated scanning. Supplement with additional tools.
  • Private vulnerability research: Adversaries with the internal codebase can conduct undisclosed vulnerability research. Monitor GitHub's security advisories closely for the next 6-12 months.
  • OIDC/SSO bypass research: Enterprise OIDC configuration files expose GitHub's authentication federation logic. Review your GitHub Enterprise SSO configuration for any anomalies.

Observed Countries250

AD (742)
AE (679)
AF (694)
AG (24)
AI (179)
AL (460)
AM (728)
AO (4)
AQ (745)
AR (9)
AS (648)
AT (461)
AU (363)
AW (892)
AX (747)
AZ (675)
BA (624)
BB (551)
BD (50)
BE (161)
BF (224)
BG (453)
BH (670)
BI (205)
BJ (654)
BL (106)
BM (286)
BN (685)
BO (449)
BQ (261)
BR (976)
BS (622)
BT (710)
BV (343)
BW (336)
BY (227)
BZ (188)
CA (530)
CC (638)
CD (190)
CF (650)
CG (417)
CH (896)
CI (19)
CK (698)
CL (540)
CM (787)
CN (80)
CO (647)
CR (988)
CU (545)
CV (170)
CW (237)
CX (27)
CY (487)
CZ (859)
DE (650)
DJ (663)
DK (198)
DM (868)
DO (527)
DZ (40)
EC (487)
EE (220)
EG (757)
EH (614)
ER (93)
ES (793)
ET (83)
FI (648)
FJ (614)
FK (315)
FM (35)
FO (926)
FR (751)
GA (571)
GB (727)
GD (572)
GE (325)
GF (770)
GG (647)
GH (558)
GI (637)
GL (540)
GM (223)
GN (632)
GP (312)
GQ (389)
GR (410)
GS (513)
GT (849)
GU (835)
GW (111)
GY (195)
HK (337)
HM (442)
HN (911)
HR (299)
HT (561)
HU (652)
ID (755)
IE (681)
IL (877)
IM (111)
IN (867)
IO (638)
IQ (310)
IR (306)
IS (534)
IT (701)
JE (816)
JM (243)
JO (532)
JP (1)
KE (970)
KG (929)
KH (311)
KI (855)
KM (489)
KN (724)
KP (155)
KR (236)
KW (555)
KY (855)
KZ (524)
LA (256)
LB (745)
LC (26)
LI (556)
LK (388)
LR (52)
LS (672)
LT (543)
LU (839)
LV (827)
LY (903)
MA (288)
MC (234)
MD (332)
ME (494)
MF (781)
MG (950)
MH (765)
MK (700)
ML (735)
MM (235)
MN (463)
MO (194)
MP (254)
MQ (446)
MR (73)
MS (665)
MT (882)
MU (549)
MV (9)
MW (939)
MX (371)
MY (729)
MZ (446)
NA (455)
NC (494)
NE (652)
NF (893)
NG (87)
NI (474)
NL (253)
NO (478)
NP (931)
NR (766)
NU (494)
NZ (419)
OM (843)
PA (388)
PE (873)
PF (67)
PG (27)
PH (949)
PK (552)
PL (154)
PM (540)
PN (378)
PR (707)
PS (248)
PT (839)
PW (402)
PY (436)
QA (14)
RE (154)
RO (280)
RS (174)
RU (973)
RW (320)
SA (476)
SB (981)
SC (696)
SD (561)
SE (624)
SG (381)
SH (721)
SI (276)
SJ (147)
SK (703)
SL (168)
SM (136)
SN (906)
SO (629)
SR (926)
SS (148)
ST (838)
SV (653)
SX (929)
SY (813)
SZ (388)
TC (644)
TD (72)
TF (494)
TG (865)
TH (183)
TJ (194)
TK (681)
TL (348)
TM (462)
TN (8)
TO (494)
TR (887)
TT (623)
TV (367)
TW (118)
TZ (349)
UA (678)
UG (826)
UM (439)
US (119)
UY (307)
UZ (566)
VA (245)
VC (728)
VE (682)
VG (499)
VI (74)
VN (428)
VU (413)
WF (296)
WS (225)
XK (357)
YE (965)
YT (764)
ZA (482)
ZM (992)
ZW (392)