The Platform Beneath Your Vendors
June 2026
One poisoned code editor plugin, one GitHub employee's laptop, and 3,800 internal repositories quietly exfiltrated and listed for sale by the same group that had been walking up the software supply chain all year
Edition 03 | 10 min read | Supply Chain / Developer Tooling / TPRM
01 · Attacker
TeamPCP
UNC6780 · financially motivated
02 · Distribution
Poisoned VS Code Extension
Trusted marketplace plugin
03 · Endpoint
GitHub Employee Laptop
1 device · 1 IDE session
04 · Outcome
Internal Repositories
Source · infra · historical secrets
Fig. 01 — Attack chain reconstruction · public IR notes

Download the full report
The whole thing: how TeamPCP breached GitHub through a single IDE plugin, what nth-party exposure looks like across the supply chain, and what your program should have seen before the disclosure went live. Enter your details and we'll send it to your inbox.
executive summary
GitHub is inside 9 out of 10 vendor stacks. Most programs have a SOC 2 on file and nothing else. When TeamPCP planted a malicious VS Code extension on a single employee's laptop and walked out with roughly 3,800 internal repositories, the breach did not come through a vulnerability anyone was watching.
Drawing on Coverbase platform data and the full TeamPCP campaign timeline across 2026, this briefing breaks down how the attack unfolded, what nth-party exposure looks like for every organization running on GitHub, and what a monitoring program would have seen before the disclosure post went live.
Repos Allegedly Taken
Forum listing by TeamPCP, May 19. GitHub calls it directionally consistent.
Initial Vector
Poisoned VS Code extension on a single GitHub employee's device.
Same Actor · Edition 01
TeamPCP, tracked as UNC6780 by Google Threat Intelligence.
Coverbase Alert Time
From GitHub's public confirmation to first customer alert.
The Vendor Your Program Trusts the Most
Most organizations treat GitHub like any other SaaS vendor. What they actually have is a single platform sitting beneath their entire software supply chain. This report unpacks what the TeamPCP breach revealed, not just about GitHub, but about the vendor layer no risk program is currently watching.
Source of Truth
420M
repositories hosted
Identity
150M
developers authenticated
Build & Ship
Every modern CI/CD
pipeline
Source of Truth
420M
repositories hosted
Identity
150M
developers authenticated
Build & Ship
Every
modern CI/CD pipeline
Fig. 02 — GitHub's role in the stack
Why This Matters for TPRM
When the platform itself is breached, the question is no longer whether your direct vendors are safe. It is whether the substrate your direct vendors are built on can be trusted to deliver clean code tomorrow morning.

Is your TPRM ready for modern threats?