GitHub internal repositories breached

Sophos describes a supply-chain attack by TeamPCP (UNC6780) in which a poisoned VS Code extension (Nx Console) was used to harvest developer credentials and clone ~3,800 internal GitHub repositories; Sophos recovered a Python backdoor (cat.py) that polls the GitHub Search API for commands, provides IOCs and MITRE mappings, and issues hunting and remediation guidance including token rotation, extension removal, and artifact detection.