u/dondusi

3,800 internal GitHub repositories. Gone. Not because of some nation-state zero day. Not because of a sophisticated multi-stage intrusion. Because somebody installed a sketchy VS Code extension.

This is the company that hosts the world's code. The platform security teams trust with their most sensitive internal projects. Taken down by the same threat vector we've been warning about since 2023.

TeamPCP has now hit Trivy, Checkmarx, Bitwarden CLI, TanStack and GitHub itself, all in the same year, all through developer tooling. They have a literal worm that automates the whole thing by stealing CI/CD credentials and self propagating through the supply chain. It's not complicated. It's just targeting the one place nobody looks.

And before that GitHub had a critical RCE vuln where any authenticated user could run arbitrary code on their servers with a git push. Like a normal everyday git push.

Hot take: the biggest security liability at most companies right now isn't your infra. It's your developers' laptops and nobody wants to have that conversation because devs push back hard on endpoint controls.

How many extensions do you have installed right now? Do you actually know what half of them do?

Everyone's dunking on GitHub right now and yeah fair enough. But can we be honest about something?

We've spent years obsessing over cloud misconfigs, network segmentation and perimeter defense while completely ignoring the developer workstation. That machine has direct access to prod secrets, internal repos, CI/CD pipelines and package registries. It's the most privileged device in most orgs and it runs whatever extension or npm package the developer felt like installing at 2am.

TeamPCP figured this out. They've been running the same play all year and keep winning because the blind spot is so consistent across every company they hit.

GitHub got popped. Grafana got popped. Bitwarden CLI got popped. All 2026. All through developer tooling.

Meanwhile most security teams still treat developer laptops like they're outside their jurisdiction because nobody wants the political fight of locking down a senior engineer's machine.

At what point do we admit that supply chain security talks at conferences mean nothing if we won't enforce basic extension and dependency controls on the machines doing the actual development?

Curious what actual security teams are doing here because from the outside it looks like the answer is mostly nothing.

Everyone's dunking on GitHub right now and yeah fair enough. But can we be honest about something?

We've spent years obsessing over cloud misconfigs, network segmentation and perimeter defense while completely ignoring the developer workstation. That machine has direct access to prod secrets, internal repos, CI/CD pipelines and package registries. It's the most privileged device in most orgs and it runs whatever extension or npm package the developer felt like installing at 2am.

TeamPCP figured this out. They've been running the same play all year and keep winning because the blind spot is so consistent across every company they hit.

GitHub got popped. Grafana got popped. Bitwarden CLI got popped. All 2026. All through developer tooling.

Meanwhile most security teams still treat developer laptops like they're outside their jurisdiction because nobody wants the political fight of locking down a senior engineer's machine.

At what point do we admit that supply chain security talks at conferences mean nothing if we won't enforce basic extension and dependency controls on the machines doing the actual development?

Curious what actual security teams are doing here because from the outside it looks like the answer is mostly nothing.