A hacker group is poisoning open source code at an unprecedented scale
Scored daily by a customisable AI persona to surface the most relevant engineering leadership news.
Open-source supply chain attack is highly relevant, actionable, and timely.
TeamPCP has automated supply chain attacks using a self-spreading worm (Mini Shai-Hulud), poisoning over 500 open source tools. They breached GitHub via a poisoned VSCode extension, accessing 3,800 repos of GitHub's own code. The group cycles through developer tools, having also hit OpenAI and Mercor, exploiting a flywheel of credential theft.
- Harden your software supply chain with strict dependency pinning, signature verification, and runtime monitoring for unauthorized code changes.
For a Solutions Architect building on open source and cloud, this signals an urgent need to enforce supply chain security—trusted tools like VSCode extensions and CI/CD pipelines are now attack vectors.
WIRED — Wired.com is your essential daily guide to what's next, delivering the most original and complete take you'll find anywhere on innovation's impact on technology, science, business and culture. Wired.com's award-winning news reporting...