GitHub suffered a major breach on May 20 when a poisoned VS Code extension installed on an employee’s device allowed attackers access to approximately 3,800 internal repositories. The attack was claimed by the threat group TeamPCP, also known as UNC6780 by Google Threat Intelligence Group, who are now advertising the stolen repositories for sale starting at $50,000. GitHub’s investigation confirmed that the attacker’s claim aligns with the breach.

This breach was part of a series of supply chain attacks that occurred within a short period. On the same day, a new wave of the Mini Shai-Hulud worm introduced 639 malicious npm package versions, a compromised VS Code extension with 2.2 million installs was discovered, and TeamPCP compromised Microsoft’s durabletask Python SDK on PyPI. The breach revealed vulnerabilities in various software supply chains and highlighted the importance of cybersecurity measures in protecting sensitive data.

GitHub confirmed the breach, stating that the attack originated from a poisoned VS Code extension on a single employee device. While critical secrets were rotated and high-impact credentials were prioritized, the incident raised concerns about the security of internal repositories containing infrastructure configurations, deployment scripts, and internal API schemas. The breach was a significant intelligence leak rather than a traditional data breach.

TeamPCP’s listing of the stolen repositories appeared on a hacking forum before GitHub’s disclosure, indicating a lack of transparency on GitHub’s part. The threat group has been actively targeting open-source security utilities and AI middleware through multiple waves of supply chain attacks, as tracked by Trend Micro, StepSecurity, and Snyk. The breach highlighted the need for enhanced security measures to detect and prevent such attacks in the future.

In response to the breach, industry experts advised organizations to rotate secrets immediately if they have private repositories with sensitive information. Azure’s honeypot network revealed that known vulnerabilities are exploited within 90 seconds, emphasizing the urgency of securing credentials and preventing unauthorized access. The breach underscored the importance of proactive cybersecurity measures to protect against evolving threats.

The breach also shed light on the Mini Shai-Hulud worm, which forges valid cryptographic provenance badges to deceive users. The worm introduced provenance forgery by generating valid signing certificates for malicious packages, making it challenging to detect unauthorized changes. The attack highlighted the need for robust security tools to verify the authenticity of software packages and prevent malicious actors from infiltrating systems.

Overall, the GitHub breach and subsequent supply chain attacks underscored the importance of cybersecurity vigilance in an increasingly interconnected digital landscape. Organizations must prioritize security measures to protect sensitive data and prevent unauthorized access to internal repositories and infrastructure. The incident serves as a wake-up call for the industry to enhance cybersecurity practices and defend against evolving threats in the digital age. PyPI has taken the precautionary step of quarantining all three versions of the durabletask package following a concerning discovery by StepSecurity. The analysis conducted by StepSecurity revealed that the payload associated with the package downloads a 28 KB dropper called rope.pyz. This dropper is designed to steal credentials from a wide range of cloud services, including AWS, Azure, GCP, Kubernetes, and over 90 different developer tool configurations. Once credentials are obtained, the payload then spreads laterally through cloud infrastructure. It is worth noting that the payload is programmed to skip systems with a Russian locale.

The durabletask package, which has an average of over 400,000 monthly downloads, was found to be the carrier of this malicious payload. This discovery raises concerns about the security of packages available on PyPI and highlights the importance of thorough vetting and monitoring of third-party dependencies.

In a separate incident, VS Code extensions were at the center of a security breach that impacted GitHub itself. Attackers managed to publish a compromised version of the Nx Console VS Code extension, which had been installed more than 2.2 million times. This malicious version was used to harvest tokens from various platforms, including GitHub, npm, AWS, HashiCorp Vault, Kubernetes, and 1Password. The attackers specifically targeted Claude Code configuration files under ~/.claude/settings.json. The Nx team acted swiftly to remove the compromised extension, but the incident served as a reminder of the risks associated with third-party extensions and the importance of maintaining a secure development environment.

The security risks posed by AI coding agents were also brought to light in a recent study conducted by Adversa AI. The research, known as TrustFall, focused on popular coding tools such as Claude Code, Gemini CLI, Cursor CLI, and Copilot CLI. It was discovered that these tools often default to “Yes/Trust” when faced with trust dialogs, potentially exposing users to security vulnerabilities. The study found that repositories could ship configurations that auto-approve and launch servers without requiring any action from the user. This lack of visibility and control over trust dialogs could be exploited by malicious actors to carry out attacks.

Furthermore, a concerning trend in the cybersecurity landscape is the increasing use of social channels as delivery mechanisms for malware and malicious payloads. CrowdStrike’s 2026 Financial Services Threat Landscape Report highlighted the rise of identity theft and financial theft facilitated through platforms like WhatsApp and LinkedIn. Adversaries are leveraging AI to create fake identities and bypass traditional security measures, posing a significant challenge for defenders.

In conclusion, the recent security incidents involving PyPI, VS Code extensions, and AI coding agents underscore the importance of maintaining a vigilant and proactive approach to cybersecurity. Developers and organizations must stay informed about emerging threats and implement robust security measures to protect their systems and data from malicious actors.

The Importance of Proper Identity Management for AI Agents in Enterprises

Introduction

As noted by Kayne McGladrey, a respected IEEE Senior Member, organizations are facing a critical challenge when it comes to managing the identities of AI agents within their systems. According to McGladrey, many organizations are resorting to cloning human user profiles for these agents, which can lead to permission sprawl from day one.

The Issue at Hand

One of the key issues highlighted by McGladrey is that the compliance frameworks currently in place within enterprises were designed with human users in mind. This poses a significant problem when it comes to managing the identities of AI agents, as their identities are not accounted for in these control catalogs.

The Risks of Cloning Human User Profiles

Cloning human user profiles for AI agents can lead to a number of risks and challenges for organizations. For starters, it can result in permission sprawl, where agents are granted access to resources and data that they should not have. This can pose serious security risks and compliance issues for enterprises.

The Need for Proper Identity Management

It is clear that there is a pressing need for proper identity management solutions that are specifically tailored to AI agents. Organizations must ensure that these agents have unique identities that are separate from human user profiles, and that they are properly managed and monitored within the system.

Conclusion

In conclusion, the issue of identity management for AI agents is a critical one that organizations must address. By implementing proper identity management solutions for these agents, enterprises can mitigate the risks of permission sprawl and ensure the security and compliance of their systems.