Supply Chain · Open Source · GitHub · Microsoft · OpenAI · Ars Technica

A hacker group is poisoning open source code at an record scale

Fri, May 22 · 10:30 AM UTC 2 min read

Compiled by KHAO Editorial — aggregated from 1 source + 10 references discovered via search. See llms.txt for citation guidance.

◌ Single Source

Lines of programming code scrolling up on a dark screen background.

A so-called software supply chain attack, in which hackers corrupt a legitimate piece of software to hide their own malicious code, was once a relatively rare event but one that haunted the cybersecurity world with its insidious threat of turning any innocent application into a dangerous foothold in a victim’s network.

Key facts

It’s been like wildfire; it’s gone fast,” says Nathaniel Quist, manager of the Cortex Cloud intelligence team at Palo Alto Networks
As a result, the hackers behind the breach, an increasingly notorious group called TeamPCP, claim to have accessed around 4,000 of GitHub’s code repositories
It’s not qualitatively different from the 14 breaches that happened last week
The team do not care about extorting GitHub, 1 buyer and they shred the data on their end

Summary

On Tuesday night, open source code platform GitHub announced that it had been breached by hackers in one such software supply chain attack: A GitHub developer had installed a “poisoned” extension for VSCode, a plug-in for a commonly used code editor that, like GitHub itself, is owned by Microsoft. The GitHub breach is the latest incident in what has become the longest-running spree of software supply chain attacks ever, with no end in sight. Those tainted pieces of code have allowed TeamPCP’s hackers to breach hundreds of companies that installed the software, says Ben Read, who leads strategic threat intelligence at the cloud security firm Wiz.

TeamPCP’s core tactic has become a kind of cyclical exploitation of software developers: The hackers gain access to a network where an open source tool commonly used by coders is being developed—for example, the VSCode extension that led to the GitHub breach or the data visualization software AntV that TeamPCP hijacked earlier this week.

Read full article at Ars Technica →

#Supply Chain #Open Source #GitHub #Microsoft #OpenAI

Full coverage

Other sources that covered this story, discovered via Google News. 10 unverified additional sources beyond our direct ingest — use these to verify claims, compare framings, or quote specific publications.

Tier 1 — direct ingest

Ars Technica May 22 · 10:30 UTC

Tier 3 — covered but not verified (10)

Hackread.com May 22 · 14:09 UTC

Cybersecurity firm SafeDep discovered a massive automated attack on the software platform GitHub, targeting 5,561 repositories (software storage locations).

Cybernews.com May 22 · 14:09 UTC partial

Headline only — body unavailable.

Technology.org May 22 · 12:09 UTC

TeamPCP has run 20 attack “waves” in recent months, slipping malware into more than 500 separate pieces of open source software, with GitHub now its highest-profile target.

Thehackernews.com May 22 · 12:09 UTC

Cybersecurity researchers have disclosed details of a new automated campaign called Megalodon that has pushed 5,718 malicious commits to 5,561 GitHub repositories within a six-hour window.

Techzine Global May 22 · 8:09 UTC

GitHub says that attackers gained access to the platform’s internal repositories via a malicious extension for Visual Studio Code.

Cybersecuritynews.com May 22 · 2:09 UTC

A sweeping automated supply chain attack codenamed “Megalodon” struck GitHub on May 18, 2026, injecting malicious CI/CD backdoors into over 5,500 repositories in less than six hours, marking one of the most aggressive…

Dqindia.com May 22 · 0:09 UTC

Follow Us Indian enterprises are embracing artificial intelligence at an unprecedented pace, but a new report suggests that governance and security controls are struggling to keep up.

Cryptonews.net May 21 · 17:09 UTC

Shai-Hulud malware has been linked to roughly 300 npm and PyPI package entries.

Thehansindia.com May 21 · 17:09 UTC partial

Headline only — body unavailable.

And What Every Developer Should Do Now | by MayhemCode | CodeX | May, 2026 | Medium May 21 · 17:09 UTC

Member-only story -- Listen Share So GitHub got hacked. And I don’t mean some random user’s account or a third-party integration at the edges I mean GitHub’s own internal code repositories.