Behind the meter on the breach disclosed this week: a hacker collective calling itself TeamPCP says it lifted source code from roughly 3,800 internal GitHub repositories and is shopping the bundle on dark-web forums for $50,000. The stick attached to that carrot — if no buyer steps up, the dataset gets dumped publicly. GitHub has confirmed the unauthorized access, isolated the entry point, and is still walking the blast radius.
The interesting detail for builders is not the price tag. It is the ingress vector.
The attack started one IDE plugin away from production
According to GitHub's own statement, the entry point was a single employee device running a poisoned Visual Studio Code extension. The malicious extension version was uninstalled, the device was isolated, and incident response was activated within minutes of detection. But "within minutes" is measured against a dwell time that, by some reporting, ran for months before anyone noticed lateral movement inside internal infrastructure.
This is the same shape as the Mini Shai-Hulud campaign that has been chewing through npm and PyPI for the last few weeks — the one that hit OpenAI employee devices via TanStack packages, that compromised AntV, Echarts-for-react, and the durabletask Python SDK according to SlowMist's MistEye TI alert. Different tarball, same lesson: the soft underbelly of every engineering org in 2026 is the developer toolchain, not the production network.
Why extensions are the new dependency
A VS Code extension runs inside the editor process with full access to your filesystem, your shell, your shell history, your SSH agent, your gh tokens, your cloud credentials, and any repo you happen to have checked out. Most are installed with one click, auto-update silently, and ship with the same scrutiny applied to a random npm package — which is to say, almost none. When a maintainer's publishing key gets stolen, every developer who has that extension installed becomes a fresh attack surface on the next auto-update.
The Mini Shai-Hulud payload makes that worse. It is self-reproducing: once it lands on a developer box, it scrapes GitHub tokens, cloud keys, and SSH keys, then attempts to republish itself into every other package that victim maintains. It installs a persistent daemon configured as a dead-man's switch — revoke the stolen token and the malware wipes the home directory on the way out.
What this changes for builders
Treat IDE extensions like production dependencies. Pin specific versions, review what each one actually does on disk and on the wire, and put extension installs behind the same review gate you use for adding a new package to package.json. Move long-lived tokens — GitHub PATs, cloud keys, SSH keys — off developer workstations and into short-lived, scope-bound credentials brokered by an identity provider. If your security configuration is staged across employees, the laggards are now the breach. Push controls as defaults, not opt-ins, and assume the next supply-chain campaign is already mid-publish.