Technology.org reports:
The group behind it, a fast-rising crew called TeamPCP, says it reached roughly 4,000 of GitHub’s code repositories. GitHub confirmed the breach Tuesday night and counted at least 3,800 compromised repositories, all of them holding GitHub’s own code rather than customer data, according to what it has found so far.
For years, supply chain attacks were the rare horror story of security work. One corrupted application could quietly become an attacker’s doorway into an entire network. TeamPCP turned that occasional dread into something closer to a weekly habit, tainting hundreds of tools, squeezing victims for money, and chipping away at the trust that holds the open source world together.
On BreachForums, a marketplace for criminals, the group put GitHub’s guts up for sale.
Read more at Technology.org
An interview with TeamPCP was reported by CybersecurityIL. From that interview:
Q: Your campaigns show an extremely strong focus on supply-chain attacks. What practical advice would you give to organizations and developers on how to defend against attacks like these?
A: Minimum release age, pin releases to hash, fine grain tokens, know what or limit extensions your developers are using in their IDEs. Socket will find the malware before the package is mature enough to hit your machine and publish all of the IOCs/remediation steps for you or your company’s blue team should you get hit.
