GitHub Source Code Breach - TeamPCP Claims Access to Internal Source Code

52 points by mseri

unlobito

worth remembering GitHub has been source available for ~ages

download QCOW2 from https://enterprise.github.com/releases and mount on a Linux VM of your choice
'deobfuscate' with https://gist.github.com/iscgar/e8ea7560c9582e4615fcc439177e22b7 (omit L33 for GHES versions released this decade)

super polite, you even get the Helm charts for .com despite GHES being Nomad-based

[this is part of how Wiz were able to discover CVE-2026-3854]

ghthor

Hashi nomad? That’s so cool!
- unlobito
  Cool is one way to phrase it 🙈 I certainly don’t miss holding a pager for a GHES instance anyway
  
  Some links you might find fun:
  
  https://docs.github.com/en/enterprise-server@3.21/admin/monitoring-and-managing-your-instance/monitoring-your-instance/about-the-monitor-dashboards
  
  https://docs.github.com/en/enterprise-server@3.21/admin/monitoring-and-managing-your-instance/configuring-high-availability/initiating-a-failover-to-your-replica-appliance
  
  https://docs.github.com/en/enterprise-server@3.21/admin/monitoring-and-managing-your-instance/configuring-clustering/monitoring-the-health-of-your-cluster-nodes-with-node-eligibility-service
  - quad
    
    What sucked about Nomad? (I’ve never used it but have been curious for a while…)
- dzwdz
  
  These guys have been responsible for a lot of the recent hacks (Shai-Hulud, Trivy, LiteLLM, Github), and since reporting about these breaches seems to be on-topic I thought people might find this interesting too.
  
  A lot of people here are recovering addicts and ex vendors/dealers, cyber crime is their therapy in a weird way, it keeps them sober, it distracts them from their shitty situations, let's them escape for a while doing something purposeful they're good at especially when they don't have the qualifications to do it legally.
  
  This seems to be a common refrain among hackers. Phineas Fisher's HackBack comes to mind, where they expressed a very similar sentiment:
  
  Hacking made me feel alive - it started as a way to self-medicate depression. Later I realized I could actually do something positive with it.
  
  I don't exactly mean to compare the two cases, as TeamPCP obviously has very different goals, but it's still interesting to note.
  - tclancy
    
    Yeah, the part about not being able to do it legally got to me. Not to apologize for their actions, just that there’s (yet another) inefficiency in our human systems.
- gerikson
  
  Xeet is referenced in this submission: https://lobste.rs/s/ges2gt/github_source_code_breach_teampcp_claims
- juliethefoxcoon
  
  Why was this a twitter thread and not a blog post?
  - emrox
    
    see https://x.com/github/status/2056949173958906296
    
    We will publish a fuller report once the investigation is complete
    
    misty
    
    Yeah, but it still seems bizarre to post this in a place where not everone can see it. I get why in the past waiting for details to post on a blog, but it's sure inconvenient to try to follow a twitter thread these days.
  - kablamooo
    
    Oh boy. This could get spicy.
  - hoistbypetard
    
    nitter.net seems to be struggling. Here's another nitter instance showing the same thread.
  - nemin
    
    Additional info from Twitter: https://nitter.net/xploitrsturtle2/status/2056927898771067006
    
    dvogel
    
    Sadly, Microsoft probably disclosed this as fast as the beauracracy could. Someone probably went home feeling very proud for how quickly they moved this through the many management layers, lawyers, etc. And rightfully so. It probably was quite an accomplishment given the baroque system. But this is why such large companies struggle to genuinely serve their customers.