A Hacker Group Is Poisoning Open Source Code at an Unprecedented Scale

A criminal group named TeamPCP has carried out an extensive, ongoing software supply-chain campaign: by compromising developer tools (for example a poisoned VSCode extension) and deploying a self-spreading worm (Mini Shai-Hulud) the group has injected malware into hundreds of open-source projects, stolen credentials to push further malicious updates, and claims to have accessed roughly 3,800 GitHub repositories—using the access for extortion and to advertise stolen source code for sale.