Last week, GitHub confirmed that hackers stole data from approximately 3,800 of its internal repositories. The attack didn't involve some exotic new exploit. It started with a poisoned VS Code extension, the kind of plugin millions of developers install without a second thought.

VS Code is the most popular code editor in the world, and its extensions run with the same permissions as the editor itself. Once installed, an extension can access everything on the developer's machine. Most endpoint security tools don't even monitor that layer, according to Charlie Eriksen, a security researcher at Aikido Security.

The group behind the attack, known as TeamPCP, used the compromised extension to harvest developer credentials. From there, they worked their way into GitHub's build pipelines and into npm, the central registry where JavaScript developers download the open-source libraries their apps rely on.

On May 11, the attackers published 84 malicious package versions across 42 TanStack libraries in a six-minute window. TanStack is a popular open-source toolkit for web development, and OpenAI was one of the companies using it.

OpenAI's code-signing certificates for its iOS, Android, macOS and Windows apps were exposed in the breach. Signing certificates are the digital stamps that prove an app is legitimate and hasn't been tampered with. OpenAI said it found no evidence the certificates were actually misused but is rotating all of them as a precaution and requiring macOS users to update their apps by June 12.

The vulnerability scored a 9.6 out of 10 on the national severity scale, classified as critical. None of the individual techniques were new. The TanStack postmortem shows the attackers recombined known exploits from previously published security research into a chain far more dangerous than any single piece.

TeamPCP then took to BreachForums, a hacker marketplace, to sell what they'd stolen. "We are here today to advertise GitHub's source code and internal orgs for sale," the group posted. They followed up with a line that read more like a garage sale than a ransom note: "As always this is not a ransom. 1 buyer and we shred the data on our end."

Security researchers say this kind of attack is becoming self-sustaining. Ben Read, head of strategic threat intelligence at Wiz, described it as a "flywheel of supply chain compromises" where one breach feeds the next. Nathaniel Quist at Palo Alto Networks called the spread "like wildfire" and pointed to long-lived developer credentials as the biggest thing making it all possible.

TeamPCP isn't alone. In a separate operation, North Korean state-sponsored hackers compromised the Axios npm package, one of the most downloaded JavaScript libraries in the world. Different group, same playbook.

In the Valley

The biggest threat to AI security right now isn't a rogue model or a jailbreak. It's the open-source packages those models are built on. The industry is pouring billions into making AI smarter while the supply chain underneath it runs on credentials that haven't been rotated in months. Defensive tools keep improving. The flywheel spins faster than any patch cycle.