A collective calling itself TeamPCP is shopping around what it says is the source code from roughly 4,000 GitHub-internal private repositories. The asking price on dark-web forums is $50,000, with a "if nobody buys, everything drops free" deadline pressure tactic stapled on. GitHub has confirmed the unauthorized access and pointed at a familiar weak link in the modern dev stack: a poisoned IDE plugin.

Behind the meter, the attack chain looks painfully ordinary. An employee installed a compromised version of a Visual Studio Code extension. That extension carried code that turned the workstation into a foothold. From there the intruders moved laterally inside GitHub's internal network and pulled data over what the company says was a months-long window before detection. Once the alarm tripped, GitHub isolated the device, ripped out the extension, and ran its incident response playbook. The company's public statement emphasizes that the blast radius stayed inside GitHub-internal repositories rather than reaching customer-owned private repos. Whether that distinction holds up under further forensics is the question every CISO will be asking on Monday morning.

This is the same shape as Mini Shai-Hulud, the self-replicating npm supply chain worm that has been chewing through ecosystems since the spring. SlowMist's MistEye telemetry flagged compromises across high-frequency npm packages including AntV and Echarts-for-react, plus the durabletask Python SDK. The pattern: hijack a maintainer's publishing credentials, push a malicious version, harvest GitHub tokens and cloud keys from anything that runs npm install, then use those credentials to republish into the next set of packages the victim controls. A dead-man's-switch daemon discourages defenders from yanking tokens too aggressively.

The hard truth is that VS Code Marketplace, npm, and PyPI all rely on a perimeter that doesn't really exist. Extensions install with whatever permissions the host process holds. There's no meaningful sandbox between a syntax highlighter and your ~/.aws/credentials. CI runners that execute postinstall scripts treat every package author as an implicit member of your engineering org. Code-signing certificates, GitHub tokens, and SSH keys are sitting on workstations that pull dozens of third-party updates per week without anyone reading a diff.

What this changes for builders. Treat your IDE extensions and your package lockfiles as production dependencies, not conveniences. Pin specific versions, mirror critical packages into a private registry, and run dependency installs inside containers with no access to long-lived credentials. Move secrets out of developer laptops and into short-lived OIDC-issued tokens. Audit the VS Code, Cursor, and JetBrains plugins your team has installed, because one of them is almost certainly the next entry point.