GitHub confirms 3,800 internal repos stolen through poisoned VS Code extension as supply chain worm hits Microsoft’s Python SDK
Summary
GitHub confirmed on May 20, 2026, that approximately 3,800 internal repositories were stolen via a poisoned VS Code extension installed on an employee's device. The threat group TeamPCP (UNC6780) claimed responsibility, advertising the stolen data for sale starting at \$50,000. This incident is part of a broader "Mini Shai-Hulud" supply chain worm campaign, which also saw 639 malicious npm package versions with forged Sigstore provenance, a compromised GitHub Actions workflow, and Microsoft's durabletask Python SDK breached on PyPI, all around May 19. Additionally, a compromised Nx Console VS Code extension with 2.2 million installs was reported on May 18. The period also saw disclosures of AI agent vulnerabilities, including auto-execution of untrusted servers and prompt injection leading to RCE, alongside a significant increase in identity theft via social channels.
Key takeaway
For Security Engineers managing development pipelines and AI agent deployments, you must immediately reassess your supply chain and AI runtime security posture. The recent GitHub breach and widespread worm attacks demonstrate that provenance checks and trust dialogs are insufficient. You should prioritize rotating all GitHub-issued tokens, pinning VS Code extension versions, and configuring AI agents to require explicit server approvals. Additionally, upgrade Semantic Kernel to mitigate prompt injection risks and integrate social channels into insider threat playbooks.
Key insights
Chained supply chain and AI agent vulnerabilities are actively exploited, bypassing traditional security measures.
Principles
- Provenance badges are not sufficient security.
- AI agent trust dialogs are often ignored.
- Chaining minor flaws yields major access.
Method
The Mini Shai-Hulud worm forges Sigstore certificates at runtime. Detect by running `find . -name 'router_init.js' -size +1M` and `grep` for hash `79ac49eedf774dd4b0cfa308722bc463cfe5885c`.
In practice
- Rotate GitHub tokens and OAuth app secrets.
- Pin VS Code extension versions.
- Disable AI agent auto-server approval.
Topics
- Supply Chain Security
- VS Code Extensions
- AI Agent Security
- Credential Theft
- npm Package Security
- Sigstore Forgery
Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Security Engineer, Security Engineer, Software Engineer
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by VentureBeat.