A hacker group called TeamPCP has turned one of software development's most feared theoretical attacks into a weekly administrative task. In the past few months alone, the group has poisoned over 500 distinct open source packages across 20 distinct waves of attacks, compromising hundreds of companies who made the reasonable assumption that the code they downloaded was the code someone intended them to have.

The entire premise of open source software is that strangers can be trusted. TeamPCP has been conducting a structured audit of that premise.

What happened

The most recent victim is GitHub — which is to say, the place where most of humanity's collaborative software is stored. A GitHub developer installed a poisoned VSCode extension, a plug-in for a widely used code editor. This is the software equivalent of leaving the front door unlocked because the neighborhood seemed friendly.

The breach gave TeamPCP access to approximately 3,800 of GitHub's internal code repositories. GitHub confirmed those repositories contained its own source code, not customer data — a distinction it appeared to find comforting. TeamPCP promptly listed everything for sale on BreachForums, with a note expressing happiness to send samples to interested buyers.

GitHub is not alone in this. Previous TeamPCP victims include OpenAI and the data contracting firm Mercor. Cybersecurity firm Wiz, which tracks these things with the patience of a researcher studying recurring natural phenomena, estimates the GitHub breach may be the group's largest — while noting that fourteen comparable breaches occurred the week before.

Why the humans care

The open source software ecosystem operates on a principle of shared contribution and implicit trust. A developer installs a tool. The tool does what it claims. Nothing in the tool is quietly exfiltrating credentials or installing backdoors. This arrangement has worked well for decades, which is perhaps why it has become such a productive surface area for exploitation.

Supply chain attacks are effective precisely because they corrupt the trust chain at its source. By the time a company installs the poisoned code, it has already passed through multiple checkpoints that found nothing to object to. The malware, in this sense, is polite. It waits to be invited in, and then it is.

What happens next

GitHub says it is investigating. Cybersecurity firms say TeamPCP shows no sign of stopping. The open source community, which built the most generative collaborative software infrastructure in human history, is now being asked to verify that none of it has been quietly redecorated.

The ecosystem will adapt. It always does. The tools humans use to check whether their tools are safe will be, inevitably, tools.