A hacker group known as TeamPCP has launched an unprecedented wave of software supply chain attacks, breaching GitHub, OpenAI, and the European Commission. The gang has poisoned over 500 open source tools with malware, using a self-spreading worm called Mini Shai-Hulud to steal credentials and extort victims.
GitHub confirmed that attackers accessed at least 3,800 of its internal code repositories after a developer installed a malicious VSCode extension. TeamPCP is now selling the stolen source code on cybercriminal forums.
Cybersecurity researchers say the group has automated its attacks, creating a flywheel of breaches that spreads like wildfire. Experts recommend rotating credentials and delaying software updates to mitigate risk.