
TeamPCP Takes Action Against GitHub
TeamPCPUNC6780VS Code extension
TeamPCP compromised a GitHub employee device via a poisoned VS Code extension, exfiltrating approximately 3,800 internal repositories containing GitHub's core platform source code, billing logic, enterprise authentication systems, and security tooling internals. GitHub confirmed the breach on May 19-20, 2026, and has rotated critical secrets. No customer repository impact has been confirmed as of the report date.
Indicators of Compromise
t.m-kosche.comSafedep2026-05-20
check.git-service.comSOCRadar2026-05-20
APT Groups1
TeamPcp
TeamPCP is a financially motivated cybercrime group that emerged in late 2025. They specialize in supply chain attacks on cloud-native ecosystems (GitHub Actions, Docker Hub, npm, PyPI, OpenVSX) to inject credential stealers, deploy ransomware, and perform destructive operations. The group has demonstrated advanced automation, cloud-native tactics, and selective wiper behavior.
ShellForcePersy_PCPCipherForcePCPcatDeadCatx3team pcp
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
Remediation
- Step 1 -- Identify: pip show durabletask on all systems; flag any 1.4.1, 1.4.2, 1.4.3
- Step 2 -- Remove: pip uninstall durabletask; check /tmp for rope.pyz and delete
- Step 3 -- Check C2 logs: search network logs for outbound connections to check.git-service[.]com
- Step 4 -- Treat as compromised: if malicious version was installed, capture memory dump before remediation; rotate all credentials on the host
- Step 5 -- Reinstall clean: pin to durabletask==1.4.0 or await Microsoft's official patched release
Downstream Risk -- Internal Source Code Exposure
Even without direct customer data access, the exfiltrated GitHub source code creates sustained downstream risk for the ecosystem:
- Secret scanning evasion: Exfiltrated secret_scanning*.rb files reveal GitHub's detection patterns -- adversaries can craft secrets that evade automated scanning. Supplement with additional tools.
- Private vulnerability research: Adversaries with the internal codebase can conduct undisclosed vulnerability research. Monitor GitHub's security advisories closely for the next 6-12 months.
- OIDC/SSO bypass research: Enterprise OIDC configuration files expose GitHub's authentication federation logic. Review your GitHub Enterprise SSO configuration for any anomalies.
Observed Countries250
AD (742)
AE (679)
AF (694)
AG (24)
AI (179)
AL (460)
AM (728)
AO (4)
AQ (745)
AR (9)
AS (648)
AT (461)
AU (363)
AW (892)
AX (747)
AZ (675)
BA (624)
BB (551)
BD (50)
BE (161)
BF (224)
BG (453)
BH (670)
BI (205)
BJ (654)
BL (106)
BM (286)
BN (685)
BO (449)
BQ (261)
BR (976)
BS (622)
BT (710)
BV (343)
BW (336)
BY (227)
BZ (188)
CA (530)
CC (638)
CD (190)
CF (650)
CG (417)
CH (896)
CI (19)
CK (698)
CL (540)
CM (787)
CN (80)
CO (647)
CR (988)
CU (545)
CV (170)
CW (237)
CX (27)
CY (487)
CZ (859)
DE (650)
DJ (663)
DK (198)
DM (868)
DO (527)
DZ (40)
EC (487)
EE (220)
EG (757)
EH (614)
ER (93)
ES (793)
ET (83)
FI (648)
FJ (614)
FK (315)
FM (35)
FO (926)
FR (751)
GA (571)
GB (727)
GD (572)
GE (325)
GF (770)
GG (647)
GH (558)
GI (637)
GL (540)
GM (223)
GN (632)
GP (312)
GQ (389)
GR (410)
GS (513)
GT (849)
GU (835)
GW (111)
GY (195)
HK (337)
HM (442)
HN (911)
HR (299)
HT (561)
HU (652)
ID (755)
IE (681)
IL (877)
IM (111)
IN (867)
IO (638)
IQ (310)
IR (306)
IS (534)
IT (701)
JE (816)
JM (243)
JO (532)
JP (1)
KE (970)
KG (929)
KH (311)
KI (855)
KM (489)
KN (724)
KP (155)
KR (236)
KW (555)
KY (855)
KZ (524)
LA (256)
LB (745)
LC (26)
LI (556)
LK (388)
LR (52)
LS (672)
LT (543)
LU (839)
LV (827)
LY (903)
MA (288)
MC (234)
MD (332)
ME (494)
MF (781)
MG (950)
MH (765)
MK (700)
ML (735)
MM (235)
MN (463)
MO (194)
MP (254)
MQ (446)
MR (73)
MS (665)
MT (882)
MU (549)
MV (9)
MW (939)
MX (371)
MY (729)
MZ (446)
NA (455)
NC (494)
NE (652)
NF (893)
NG (87)
NI (474)
NL (253)
NO (478)
NP (931)
NR (766)
NU (494)
NZ (419)
OM (843)
PA (388)
PE (873)
PF (67)
PG (27)
PH (949)
PK (552)
PL (154)
PM (540)
PN (378)
PR (707)
PS (248)
PT (839)
PW (402)
PY (436)
QA (14)
RE (154)
RO (280)
RS (174)
RU (973)
RW (320)
SA (476)
SB (981)
SC (696)
SD (561)
SE (624)
SG (381)
SH (721)
SI (276)
SJ (147)
SK (703)
SL (168)
SM (136)
SN (906)
SO (629)
SR (926)
SS (148)
ST (838)
SV (653)
SX (929)
SY (813)
SZ (388)
TC (644)
TD (72)
TF (494)
TG (865)
TH (183)
TJ (194)
TK (681)
TL (348)
TM (462)
TN (8)
TO (494)
TR (887)
TT (623)
TV (367)
TW (118)
TZ (349)
UA (678)
UG (826)
UM (439)
US (119)
UY (307)
UZ (566)
VA (245)
VC (728)
VE (682)
VG (499)
VI (74)
VN (428)
VU (413)
WF (296)
WS (225)
XK (357)
YE (965)
YT (764)
ZA (482)
ZM (992)
ZW (392)