Hatlen @hatlen

🚨A HACKER GROUP JUST STOLE 4,000 OF GITHUB'S OWN PRIVATE REPOSITORIES.. PUT THEM UP FOR SALE FOR $50,000.. AND THE WAY THEY GOT IN IS THE SCARIEST PART.. They didn't hack GitHub's servers.. They poisoned a VS Code extension.. One GitHub employee installed it.. And the attackers walked through the front door using the employee's own credentials.. The group calls themselves TeamPCP.. They name their malware after the sandworms from Dune.. And they've been running the most sophisticated supply chain attack campaign in cybersecurity history.. Here's how the whole thing unfolded.. In March.. They poisoned Trivy.. One of the most trusted security scanners in the world.. Used by over 10,000 development workflows globally.. They injected credential-stealing malware into Trivy's official GitHub Action.. The malware ran silently BEFORE the security scan.. So every log showed "scan completed successfully" while the malware was stealing AWS keys, SSH credentials, database passwords, and Kubernetes tokens in the background.. It took Aqua Security 5 days to fully remove them.. Using the stolen credentials.. They breached Cisco Systems.. Cloned over 300 private repositories.. Including source code for unreleased AI products.. And repositories belonging to Cisco's customers.. Major banks.. Government agencies.. BPO firms.. In April.. They hit Checkmarx.. Another security vendor.. Poisoned 5 official Docker images in 83 minutes.. The scanner worked perfectly.. It just silently sent all your secrets to the attackers.. That automatically cascaded into Bitwarden.. The password manager.. Their CI/CD system pulled the poisoned Docker image.. And the attackers injected malware into Bitwarden's official CLI package published on npm.. One compromised security scanner poisoned a password manager.. Automatically.. No human involved.. In May.. They hit TanStack.. Libraries downloaded millions of times per week.. 84 malicious package versions across 42 packages.. And here's the terrifying part.. The malware scraped the raw memory of GitHub's build servers.. Extracted authentication tokens.. Used those tokens to bypass two-factor authentication.. And then published the infected packages with completely valid cryptographic signatures.. Every security verification tool on earth said the packages were legitimate.. Because they were signed by the real pipeline.. Using real keys.. The attackers just happened to be inside the pipeline when it signed.. They defeated the entire trust model of modern software supply chains.. The same week they hit the Nx Console VS Code extension.. 2.2 million installations.. The malware specifically targeted Claude Code configurations.. Hunting for AI assistant credentials.. That's a first.. Supply chain malware designed to steal your AI's access keys.. Then on May 19.. They revealed the GitHub breach.. 4,000 internal repositories.. Listed for sale at $50,000.. With a warning.. "If nobody buys it.. We leak everything for free".. Their malware is self-propagating.. Once it infects one package.. It automatically finds every other package that developer maintains.. Steals the publish tokens.. And infects all of them.. Then those packages infect the next developer.. And the next.. It jumps between npm and PyPI automatically.. The group doesn't even do the extortion themselves.. They sell stolen credentials to ransomware gangs.. One gang used TeamPCP's data to threaten Cisco with leaking FBI and NASA personnel records.. And the scariest part of all.. They didn't break any encryption.. They didn't find any zero-days.. They exploited the fact that the entire software industry blindly trusts its own build tools.. Every security scanner.. Every Docker image.. Every VS Code extension.. Every GitHub Action.. Is a potential weapon if someone poisons it upstream.. And right now.. Nobody can tell the difference between a legitimate build and a compromised one.. Because the compromised ones have valid signatures too.

keyboard_arrow_left Previous keyboard_arrow_right Next

GitHub @github

a month ago

We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely

2K 5K 25K 13.9M 6K

@rootxharsh @HacktronAI What do you mean "isn't limited to PAN-OS"?

@DarshanSays @rootxharsh @HacktronAI What

@DarkWebInformer Looks like just a scrape of their public "find employees" function. It's on the website. Not really sure why they post private post address there, but besides that it's really nothing. Not an AD dump at all I think.

@alexocheema @eastdakota @Cloudflare Cloudflare seems to disagree. Not even their whole backbone is measured in Pbps. Not sure what in HPC you are comparing it to? I doubt it's network speeds.

@alexocheema @eastdakota @Cloudflare Takes a lot of scaling going from 400Gbps to Pbps, but sure. You would need 2500 400 Gbps NICs to reach a single petabit.

@MoonguardX @0xFar3000 @eastdakota @Cloudflare That is 5800 Gbps. Generating a data stream locally isn't the problem, delivering it through the internet at 580 times what you can generate is the problem. Even out of a country you might start capping well before that for cross-country backbone links.. oversubscription is key

@alexocheema @eastdakota @Cloudflare You have more than 400Gbps interfaces in those beasts?

@_yushe My biggest fear in life is someone seeing my code.

@pjlast_ You lost me at "bank allows you to specify javascript", that is wild. What could go wrong? I really want to know how they implemented this, lol.

@M0reCowbell @cyb3rops @wiz_io

@NotTravisNewman @strager Now you can do the latter js-less version with complex javascript, polyfills and libraries! Without leaving any JS out of the backend written frontend! So we can achieve the same results as before, but with a lot more complex code. What is there to not understand?

Is Microsoft Recall MANDATORY now? What do you think? Over reacting? Or is this really a privacy concern? #windows #microsoft #ai #linux #macos #blackmirror #privacy @_JohnHammond @christitustech

🔥 securityaffairs.com/168966/hacking…

@evilsocket Not ignoring it, but you still gotta print, right? Still a great, awesome find nevertheless.

blog.sonicwall.com/en-us/2024/09/… oh shit

🚨 cybersecuritynews.com/0-click-rce-wi…

@miketheitguy I realize I'm late to the game. Did you decide? My two cents are on Netgate if you're going physical! :)

@el_nawser Any attacker will just pass the hash and do winrm or whatever.

FortiGate under active exploitation. Patch ASAP and check your logs for compromise.