Today’s Topics:

GitHub Investigates Internal Repository Breach After Employee Device Compromise
Malicious npm Package Steals OpenAI Codex Tokens from Developer Systems
How can Netizen help?

GitHub Investigates Internal Repository Breach After Employee Device Compromise

GitHub is investigating unauthorized access to its internal repositories after the threat actor known as TeamPCP listed what it claimed to be GitHub source code and internal organization data for sale on a cybercrime forum. The Microsoft-owned platform said it has not found evidence that customer information stored outside of GitHub’s internal repositories was affected, including customer enterprises, organizations, or repositories, but said it is continuing to monitor its infrastructure for follow-on activity.

The incident drew attention after TeamPCP claimed to possess thousands of GitHub repositories and offered the data for sale. The group reportedly demanded at least $50,000 at first, later appearing in a joint sale with LAPSUS$ that priced the alleged repository collection at $95,000. Screenshots shared by Dark Web Informer described the sale as a non-ransom transaction, with the actors threatening to leak the material for free if no buyer came forward.

GitHub later said it had detected and contained the compromise of an employee device tied to a poisoned Microsoft Visual Studio Code extension. As part of its response, the company rotated critical secrets and prioritized credentials considered highest impact. GitHub’s current assessment is that the activity involved GitHub-internal repositories only, and the company said the attacker’s claim of roughly 3,800 repositories was directionally consistent with its investigation.

The company did not identify the VS Code extension involved. The incident arrives soon after the compromise of Nx Console, which allowed threat actors to distribute a multi-stage credential stealer and supply chain poisoning tool. The Nx team said very few users were compromised, but the overlap in tactics has added concern around developer tooling, extensions, and the amount of trust placed in packages that run inside engineering environments.

The GitHub incident is also tied to a broader campaign attributed to TeamPCP. The group has been linked to Mini Shai-Hulud, a self-replicating malware campaign that recently expanded through the compromise of durabletask, Microsoft’s official Python client for the Durable Task workflow execution framework. Three malicious versions of the package were identified: 1.4.1, 1.4.2, and 1.4.3.

According to research cited in the source reporting, the attacker compromised a GitHub account through earlier activity, extracted GitHub secrets from a repository the account could access, and used those secrets to obtain a PyPI token. That token allowed the attacker to publish malicious versions of the durabletask package directly. The embedded payload acted as a dropper, fetching a second-stage payload named rope.pyz from an attacker-controlled server.

The malware was built to steal credentials from cloud providers, password managers, and developer tools, with Linux systems receiving the primary payload. Researchers reported that the stealer attempted to access HashiCorp Vault secrets, 1Password and Bitwarden vaults, SSH keys, Docker credentials, VPN configurations, and shell history. In cloud and containerized environments, the malware also included propagation logic. If it detected AWS infrastructure, it could use Systems Manager to execute commands on other EC2 instances. If it detected Kubernetes, it could spread through kubectl exec.

That design makes the campaign more dangerous than a conventional credential theft operation. Developer machines, CI/CD runners, cloud environments, and package publishing workflows often contain overlapping credentials, tokens, and automation permissions. A single compromised endpoint or package can become a path into source code, internal infrastructure, build pipelines, cloud accounts, and downstream software projects.

The campaign also used a fallback command-and-control mechanism referred to as FIRESCALE. If the primary command-and-control domain became unreachable, the malware could search public GitHub commit messages for a specific pattern, extract encoded command-and-control information, and use it to continue operations. That technique shows how public development platforms can be misused as indirect coordination channels during an active malware campaign.

For organizations, the GitHub investigation underscores a growing risk around developer ecosystems. Security teams can no longer treat source code repositories, editor extensions, package managers, and CI/CD systems as separate concerns. The same identities and tokens often connect all of them. Once attackers compromise a trusted developer account, poisoned extension, or package publishing credential, they may gain access to secrets that were never meant to leave internal environments.

Any organization that installed one of the affected durabletask versions should treat the affected machines and pipelines as compromised. That means reviewing endpoints, rotating credentials, auditing cloud activity, checking package publishing permissions, inspecting CI/CD logs, and validating whether stolen tokens were used after the initial compromise. Developer workstations and build systems should be investigated with the same seriousness as production systems, since they often hold the credentials attackers need to move deeper into an environment.

Malicious npm Package Steals OpenAI Codex Tokens from Developer Systems

A malicious supply chain campaign has been targeting developers using OpenAI Codex through a package that presented itself as a legitimate remote web UI. The package, named codexui-android, was published on npm and advertised on GitHub as a remote interface for OpenAI Codex. Rather than relying on a disposable typosquat or a package with no real function, the threat actor embedded credential-stealing code into a working project that had active development history and enough apparent legitimacy to attract more than 29,000 weekly downloads.

Security researchers at Aikido Security found that the package quietly extracted Codex authentication data from developer environments and sent it to an attacker-controlled server. The stolen data came from the local Codex authentication file at ~/.codex/auth.json, which can contain access tokens, refresh tokens, ID tokens, and account identifiers. According to the reporting, the exfiltration endpoint used the domain sentry.anyclaw[.]store, a name that appears to mimic Sentry, the legitimate application monitoring and error tracking service.

The most serious issue is the theft of refresh tokens. Access tokens are often short-lived, but refresh tokens can allow continued account access long after the initial login session. In practical terms, a stolen Codex refresh token may give an attacker persistent access to whatever the compromised account can reach. That makes this more than a simple developer workstation compromise. It creates an account-level risk tied to AI-assisted development workflows, local coding sessions, IDE integrations, and any connected services exposed through the same identity.

OpenAI’s own documentation warns that file-based Codex authentication storage should be treated like a password. The auth.json file is sensitive precisely due to the credentials it can hold. If that file is exposed through a malicious package, copied into a ticket, committed to a repository, or captured by endpoint malware, the attacker may inherit the user’s authenticated Codex session.

The malicious code was reportedly introduced about a month after the package first appeared on npm. That timing matters. Attackers increasingly seed legitimate-looking projects first, allow them to gain users, downloads, and trust, and then introduce malicious behavior after the package has already entered developer workflows. This approach is harder to catch than a basic typosquat, since the project can appear clean at first glance and may provide the functionality it claims to offer.

The associated GitHub repository reportedly remained clean, with the malicious functionality placed only in the npm package build. That separation is a recurring software supply chain problem. Developers may inspect the source repository, see nothing obviously malicious, and assume the distributed package matches the published code. In reality, package registry artifacts can differ from the repository content, especially when build steps, generated files, minified scripts, or release automation are involved.

The campaign also extended beyond npm. Aikido reported that an Android application named OpenClaw Codex Claude AI Agent, published under the package name gptos.intelligence.assistant, ran the npm package inside a PRoot sandbox. On first launch, the app extracted a Termux-derived Linux userland into private app storage, ran Node.js inside that environment, and pulled the current npm version of codexui-android rather than pinning a known-safe version. Once a user signed in to Codex inside the app, the package read the generated auth.json file and sent the OAuth data to the same exfiltration endpoint.

The Android delivery path gave the campaign a much larger reach. The OpenClaw Codex Claude AI Agent app was reported to have more than 50,000 downloads, and a second BrutalStrike-linked Android app named Codex, under the package name codex.app, had more than 10,000 downloads. That means the attack was not limited to developers manually installing a package from npm. It also reached users through mobile apps that wrapped the same malicious workflow inside a seemingly convenient Codex interface.

The package author reportedly gave conflicting public responses after being contacted. Aikido said the author first claimed to have lost access to the npm account, then edited the response to say they were investigating internally and removing affected functionality and related data. The author also claimed that credential data was not shared with third parties, but did not explain why the npm package collected Codex tokens or why the exfiltration code was present in the distributed npm build. The author’s linked X profile also referenced the anyclaw[.]store domain, and WHOIS records showed the domain was registered shortly after the first npm version of the package was uploaded.

For defenders, the immediate priority is containment. Any developer who installed codexui-android or used the related Android apps should assume their Codex credentials may have been exposed. The affected systems should be reviewed for the presence of ~/.codex/auth.json, suspicious outbound traffic to sentry.anyclaw[.]store, and any npm package versions at or after codexui-android 0.1.82, where the exfiltration was reported to be present. Tokens should be revoked and regenerated, account activity should be reviewed, and any connected services that could have been reached through the compromised identity should be checked for unauthorized use.

How Can Netizen Help?

Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally.

Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

recent posts

about

Leave a comment Cancel reply