Microsoft-owned developer platform GitHub stated that about 3,800 code repositories on its internal systems were breached by hackers. The breach resulted from the installation of a poisoned Visual Studio Code extension by the hackers. This is yet another incident that shows the rising cases of cyberattacks on developer tooling.
The security breach was revealed by the platform in a string of tweets on X. GitHub clarified that “there is currently no evidence of impact to customer information stored outside of GitHub’s internal repositories.” The company further explained that it is continuing to investigate the case.
It has been noted that the attack by the hackers happened when they compromised an employee’s computer by installing a poisoned VS Code extension. Visual Studio Code, which is commonly referred to as VS Code, is among the popular code editors used by programmers across various platforms.
Such an environment makes extensions one of the primary targets for cyber criminals.
Once malware enters the infected extension, it could steal any sort of data including passwords, authentication data, source code, cloud keys and more and then further penetrate the organisation’s infrastructure. GitHub declined to disclose which extension had been compromised. This is important to know, since there may be many developers who have unwittingly installed the compromised plug-in.
GitHub Breach Linked to TeamPCP Raises New Fears Over Open-Source Supply Chain Attacks
According to The Record and BleepingComputer, the breach was committed by the hacking collective TeamPCP. Moreover, the group is attempting to sell its loot online via a criminal cyber marketplace.
Such reports were not officially confirmed by GitHub. Moreover, GitHub could not provide information about whether the hackers asked for ransom and whether any contact was established between the hacking group and the company.
This case clearly indicates an emerging challenge within software security. It is the open-source supply chain.
Modern software development is impossible without using thousands of different external packages. When developers use some piece of code from the repository, they do not pay enough attention to its updates. While this approach enables software development teams to be more flexible and efficient, it opens the door for various kinds of attacks.
Security experts have been raising this concern for many years now, saying that hackers tend to attack small services used by developers rather than huge companies. In this way, hackers manage to infect more people much faster.
TeamPCP has been seen in previous attacks of a similar nature.
TeamPCP’s Supply Chain Attacks Expose Growing Threat to Open-Source Software Security
In one previous instance, TeamPCP has claimed responsibility for a breach targeting the European Commission. According to reports, in the incident hackers had supposedly managed to exfiltrate more than 90 GB of data from the cloud storage platforms used by the Commission.
The breach was reportedly associated with another cyberattack on the supply chain. Hackers are accused of having injected malicious code into software updates provided via the Trivy platform. The malware is believed to have helped hackers access the cloud credentials belonging to the European Commission.
The same method is reportedly being used in the latest GitHub breach.
There have been reported attacks using similar tactics in recent months, using tools associated with OpenAI. Hackers reportedly targeted web developer platform TanStack and pushed malicious software that steals passwords and authentication tokens of users.
Such an attack becomes possible since developers tend to blindly trust updates that come from familiar tools. By taking over a repository, extension, or updating system, attackers can distribute code that would be seen as legitimate by developers who are expecting an update from familiar sources.
The increasing security concerns require tighter control over developers’ working environment. At present, many companies check external code libraries for any existing threats, but such an approach is not sufficient anymore. More strict extension policies may be needed, as well as more reliable device protection measures and better control over developer accounts and access tokens.
GitHub Hack Exposes Growing Risks in the Open-Source Supply Chain
At the same time, the security breach in the internal system of GitHub poses the question regarding the security levels of other major technologies. It should be noted that GitHub is one of the main hubs in the process of developing software. Millions of developers use GitHub services to store and work on their code.
Although the company guarantees that customer information stored anywhere else outside of its internal repositories is unaffected, stolen internal code might be dangerous. Developers could have been working on some internal applications, security protocols, infrastructure components, or products still under development.
As things stand, GitHub has said that the investigation is still ongoing.
The lesson here for the developer community is also quite apparent. Trusted software tools are emerging as among the most prized targets of the cybercriminals’ arsenal in the modern era. When hackers begin to target the software supply chain, one extension could spell catastrophe.
