coverbase research report

The Platform Beneath Your Vendors

June 2026

One poisoned code editor plugin, one GitHub employee's laptop, and 3,800 internal repositories quietly exfiltrated and listed for sale by the same group that had been walking up the software supply chain all year

Edition 03  |  10 min read  |  Supply Chain / Developer Tooling / TPRM

01 · Attacker

TeamPCP

UNC6780 · financially motivated

publishes

02 · Distribution

Poisoned VS Code Extension

Trusted marketplace plugin

runs on

03 · Endpoint

GitHub Employee Laptop

1 device · 1 IDE session

authenticates on

04 · Outcome

Internal Repositories

Source · infra · historical secrets

~3,800 repos taken

Fig. 01 — Attack chain reconstruction · public IR notes

Download the full report

The whole thing: how TeamPCP breached GitHub through a single IDE plugin, what nth-party exposure looks like across the supply chain, and what your program should have seen before the disclosure went live. Enter your details and we'll send it to your inbox.

Repos Allegedly Taken

~3,800

Forum listing by TeamPCP, May 19. GitHub calls it directionally consistent.

Initial Vector

IDE Plugin

Poisoned VS Code extension on a single GitHub employee's device.

Same Actor · Edition 01

YesUNC6780

TeamPCP, tracked as UNC6780 by Google Threat Intelligence.

Coverbase Alert Time

6 min

From GitHub's public confirmation to first customer alert.

The Vendor Your Program Trusts the Most

Most organizations treat GitHub like any other SaaS vendor. What they actually have is a single platform sitting beneath their entire software supply chain. This report unpacks what the TeamPCP breach revealed, not just about GitHub, but about the vendor layer no risk program is currently watching.

Source of Truth

420M

repositories hosted

Identity

150M

developers authenticated

Build & Ship

Every modern CI/CD

pipeline

Fig. 02 — GitHub's role in the stack

Why This Matters for TPRM

When the platform itself is breached, the question is no longer whether your direct vendors are safe. It is whether the substrate your direct vendors are built on can be trusted to deliver clean code tomorrow morning.

Concentration Risk

Is your TPRM ready for modern threats?