GitHub internal repositories breached

Sophos reports on a supply-chain compromise attributed to TeamPCP (UNC6780) where a malicious VS Code extension (Nx Console v18.95.0) installed on a GitHub employee's device was used to harvest developer credentials and clone approximately 3,800 internal repositories; the actor listed the stolen data for sale. Sophos recovered a Python backdoor (cat.py) that polls the GitHub Search API for commands and downloads signed Python payloads; the report provides IOCs (file hashes), MITRE-mapped TTPs, detection/hunt guidance, and remediation recommendations.