The sandworm malware strikes: How a hacker group stole 4,000 GitHub repositories and exposed the rot at the core of modern software security
Supply chain attacks exploit foundational trust in development tools rather than relying on zero-day exploits or brute force, as demonstrated by TeamPCP’s breach of GitHub where a poisoned VS Code extension allowed attackers to steal 4,000 private repositories using valid employee credentials.
The Trivy poisoning incident showed how attackers can weaponize trusted security scanners—injecting credential-stealing malware into an official GitHub Action that silently stole AWS keys, SSH credentials and database passwords while logs falsely reported “scan completed successfully.”
Malware can cascade automatically through interconnected systems, as seen when a compromised Docker image was pulled by Bitwarden’s CI/CD system without human intervention, then self-propagating by stealing publish tokens to infect every package a developer maintained.
The GitHub breach defeated the entire trust model of modern software supply chains by scraping authentication tokens from build server memory, bypassing two-factor authentication and publishing malicious packages with valid cryptographic signatures that no security verification tool could detect as compromised.
Hardware-level backdoors in Intel processors (like the ME subsystem) and sophisticated malware like STUXnet demonstrate that even leading cybersecurity firms like CrowdStrike cannot prevent intrusions when attackers exploit systemic vulnerabilities at scale—a capability now being weaponized by state-backed groups like TeamPCP.
Read Full Article: https://www.naturalnews.com/2026-05-23-hacker-group-stole-4000-github-repositories.html
