Mini Shai Hulud Wormed Its Way Into GitHub

We're still on this malware matter. Data from approximately 3,800 internal repositories was stolen after a GitHub employee installed a compromised VS Code extension from the official VS Code Marketplace.

Wasn't even a scammy site or anything like that. Hackers got access to credentials, SSH keys, cloud keys, and other secrets on the dev's machine.

GitHub noticed the compromise and removed the malicious extension version from the marketplace. According to their official statement, the attackers breached and stole data from GitHub's internal repositories only. The company says there's no evidence (so far) that customer information stored outside of internal repositories was breached.

TeamPCP says they stole roughly 3,800 private code repositories, including GitHub's own source code and internal files. GitHub says that number lines up with what they found in their investigation, so the numbers don’t look inflated.

What Are They Doing with the Data?

TeamPCP listed the stolen GitHub data for sale with a minimum asking price of $50,000. They're saying this is “not a ransom” and that they aren't interested in extorting GitHub directly. They plan to sell the data to a single buyer, then “shred the data on our end”. If not, they'll leak it for free. Their words.

From the horse's posts: “It looks like our retirement is soon so if no buyer is found we will leak it free”.

What We Still Don't Know

• What extension was compromised? GitHub didn't say.
• Was customer data hit? GitHub says no evidence so far, but the investigation is ongoing.
• Will GitHub pay for the data? No comment from them on that.
• When will the full report be released? “At a later date.”

Right now probably isn't the best time to be installing anything, especially as official marketplaces don't even guarantee safety.