A hacker group is poisoning open source code at an unprecedented scale

A criminal group known as TeamPCP carried out a software supply-chain attack by distributing a poisoned VSCode extension that allowed them to access GitHub internals; GitHub confirmed around 3,800 compromised repositories and TeamPCP claims to be selling source code and internal org data. Socket reports the group has conducted roughly 20 waves of attacks, corrupting malware into over 500 distinct open-source projects, signaling a large, ongoing campaign of widespread supply-chain compromise and extortion.