When the GitHub breach was first reported earlier this week, it looked like a targeted attack through one malicious VS Code extension. New reporting reveals the scope was significantly larger. The group behind it has a long history of this type of attack, and the number of compromised packages means thousands of developers and their downstream users may have been affected.
The Attack Group Has Done This 20 Times Before
The gang behind the GitHub breach, known as TeamPCP, has reportedly executed over 20 waves of supply chain attacks in recent months, compromising more than 500 pieces of software across different platforms. GitHub is just the latest and most high-profile victim.
Supply chain attacks are particularly dangerous because they target the tools developers trust most — code editors, package managers, CI/CD pipelines. A compromised extension does not just steal data. It can inject malicious code into every project built with it before anyone notices, turning the tools developers rely on daily into a vector for attacks on their clients and customers.
What Digital Teams Need to Do This Week
If your team uses VS Code, audit your installed extensions today. Remove anything you do not actively use. Treat extensions from unfamiliar or unverified publishers with the same suspicion you would apply to an executable from an unknown source.
If you manage client code, client credentials, or production secrets on your development machine, rotate those credentials now — assume they may have been exposed during the window the malicious extension was active.
This is not a theoretical risk for large enterprise companies only. Small digital agencies and freelancers working with mixed extension setups are exactly the kind of target that falls through the gaps in corporate security reviews. Act while the incident is fresh.
Quick Links:
