The sandworm malware strikes: How a hacker group stole 4,000 GitHub repositories and exposed the rot at the core of modern software security

• Supply chain attacks exploit foundational trust in development tools rather than relying on zero-day exploits or brute force, as demonstrated by TeamPCP’s breach of GitHub where a poisoned VS Code extension allowed attackers to steal 4,000 private repositories using valid employee credentials.
• The Trivy poisoning incident showed how attackers can weaponize trusted security scanners—injecting credential-stealing malware into an official GitHub Action that silently stole AWS keys, SSH credentials and database passwords while logs falsely reported “scan completed successfully.”
• Malware can cascade automatically through interconnected systems, as seen when a compromised Docker image was pulled by Bitwarden’s CI/CD system without human intervention, then self-propagating by stealing publish tokens to infect every package a developer maintained.
• The GitHub breach defeated the entire trust model of modern software supply chains by scraping authentication tokens from build server memory, bypassing two-factor authentication and publishing malicious packages with valid cryptographic signatures that no security verification tool could detect as compromised.
• Hardware-level backdoors in Intel processors (like the ME subsystem) and sophisticated malware like STUXnet demonstrate that even leading cybersecurity firms like CrowdStrike cannot prevent intrusions when attackers exploit systemic vulnerabilities at scale—a capability now being weaponized by state-backed groups like TeamPCP.

In what cybersecurity experts are calling the most sophisticated supply chain attack in history, a hacker group known as TeamPCP has successfully stolen 4,000 of GitHub’s own private repositories and is now offering them for sale at $50,000. The breach didn’t come through a brute force attack on GitHub’s fortified servers or some exotic zero-day exploit. Instead, it began with something far more mundane and terrifying: a poisoned VS Code extension that a single GitHub employee unwittingly installed.

Once that extension was on the developer’s machine, the attackers walked through the front door using the employee’s own credentials. “They didn’t break any encryption,” explained Yoo, a Resecurity researcher who has been tracking the group. “They didn’t find any zero-days. They exploited the fact that the entire software industry blindly trusts its own build tools.”

From USB to global infiltration

The group, which names its malware after the sandworms from Frank Herbert’s “Dune” novels, has been running a campaign that researchers describe as “one of the most sophisticated pieces of malware ever seen.” While the GitHub breach is their most audacious act, their methodology follows a pattern that security experts have been dreading for years.

“It started with an infected USB drive being physically connected to one of the machines and then spread through the network,” Yoo added, recalling earlier phases of the operation. “Over two weeks in February, the attackers gained access to more than 100 computers belonging to current and former employees of 21 major energy companies.” The group’s willingness to spend up to $15,000 per machine to purchase access to specific infected computers shows the depth of their resources and commitment.

The malware exploited four previously unknown vulnerabilities in Windows, used stolen digital certificates to bypass security checks, and demonstrated a level of sophistication that has left even seasoned security professionals shaken.

The Trivy poisoning: A supply chain catastrophe

In March, TeamPCP executed its most devastating attack yet. They poisoned Trivy, one of the most trusted security scanners in the world, used by over 10,000 development workflows globally. The attackers injected credential-stealing malware into Trivy’s official GitHub Action, but in a genius twist, the malware ran silently before the security scan executed. Every log showed “scan completed successfully” while the malware was stealing AWS keys, SSH credentials, database passwords and Kubernetes tokens in the background.

It took Aqua Security five days to fully remove the compromised version. By then, the damage was done.

Using the stolen credentials, the group breached Cisco Systems, cloning over 300 private repositories including source code for unreleased AI products and repositories belonging to Cisco’s customers—major banks, government agencies and BPO firms.

The cascade effect: When security tools become weapons

In April, TeamPCP struck again, this time hitting Checkmarx, another security vendor. They poisoned five official Docker images in just 83 minutes. The scanner worked perfectly, but it silently sent all secrets to the attackers. What happened next demonstrates the terrifying interconnectivity of modern software development.

The compromised Docker image was automatically pulled by Bitwarden, the popular password manager’s CI/CD system. No human involved. The malware then injected itself into Bitwarden’s official CLI package published on npm. One compromised security scanner poisoned a password manager automatically.

“The malware is self-propagating,” Yoo explained. “Once it infects one package, it automatically finds every other package that developer maintains, steals the publish tokens and infects all of them. Then those packages infect the next developer, and the next.”

The GitHub breach: Defeating the entire trust model

In May, TeamPCP hit TanStack, a library ecosystem downloaded millions of times per week, publishing 84 malicious package versions across 42 packages. The method was chilling in its elegance. The malware scraped the raw memory of GitHub’s build servers, extracted authentication tokens, used those tokens to bypass two-factor authentication and then published the infected packages with completely valid cryptographic signatures.

“Every security verification tool on earth said the packages were legitimate,” Yoo emphasized. “Because they were signed by the real pipeline using real keys. The attackers just happened to be inside the pipeline when it signed. They defeated the entire trust model of modern software supply chains.”

The same week, they hit the Nx Console VS Code extension, which has 2.2 million installations. The malware specifically targeted Claude Code configurations, hunting for AI assistant credentials. “That’s a first,” Yoo noted. “Supply chain malware designed to steal your AI’s access keys.”

The sale: 4,000 repositories for $50,000

On May 19, TeamPCP revealed the scale of their GitHub breach. They listed 4,000 internal repositories for sale at $50,000, with a chilling warning: “If nobody buys it, we leak everything for free.” The group doesn’t even do the extortion themselves. They sell stolen credentials to ransomware gangs. One gang used TeamPCP’s data to threaten Cisco with leaking FBI and NASA personnel records.

“Right now, nobody can tell the difference between a legitimate build and a compromised one,” Yoo concluded. “Because the compromised ones have valid signatures too.” The attackers exploited the rot at the core of modern software security: blind trust in build tools, in automated pipelines, in the very systems designed to protect us. And until that changes, every development workflow, every CI/CD pipeline, every security scanner remains a potential weapon—already loaded, waiting for someone to pull the trigger.

According to BrightU.AI‘s Enoch, the SandWorm malware’s theft of 4,000 GitHub repositories reveals how sophisticated state-backed hacking groups exploit foundational weaknesses in software security, often with devastating efficiency. This incident underscores that modern cybersecurity failures are not just about code errors but also about systemic vulnerabilities that allow advanced persistent threats to wreak havoc at scale.

Watch the “Health Ranger Report” episode below where Patrick Byrne reveals the coup architects: bribes, manipulation and the deep machinery.

This video is from the Health Ranger Report channel on Brighteon.com.

Sources include:

X.com

BrightU.ai

Brighteon.com