UPDATE: TeamPCP / Mini Shai-Hulud campaign — GitHub itself breached (~3,800 internal repos via poisoned VS Code extension), Microsoft `durabletask` PyPI worm propagates via AWS SSM and `kubectl exec`, Grafana confirms missed-token-rotation root cause

UPDATE (originally covered 2026-05-13 deep dive; multiple subsequent updates): three new TeamPCP / Mini Shai-Hulud developments landed in this window — GitHub itself, the official Microsoft durabletask PyPI package, and the Grafana Labs root-cause disclosure.

GitHub. GitHub confirmed on 2026-05-20 that TeamPCP (also tracked as UNC6780) accessed approximately 3,800 internal GitHub repositories after a single GitHub employee installed a poisoned Visual Studio Code extension on their device (The Hacker News, 2026-05-20; The Record, 2026-05-20; Infosecurity Magazine, 2026-05-20; Help Net Security, 2026-05-20). GitHub detected and contained the breach on 2026-05-19, isolated the affected endpoint and rotated high-impact secrets; the company states there is no evidence customer data stored outside the internal repositories was accessed. GitHub has not publicly named the malicious VS Code extension or its publisher at this writing. TeamPCP listed the stolen repositories — including GitHub Actions internals, agentic-workflow code, Copilot internal projects, CodeQL tools, Codespaces, Dependabot, and a Rails controller managing organisations and PRs — for sale at $50,000, with LAPSUS$ announcing a joint sale and a $95,000 asking price.

durabletask (PyPI). Wiz Security reported on 2026-05-20 that the TeamPCP / Mini Shai-Hulud worm compromised the official Microsoft durabletask PyPI package via versions 1.4.1, 1.4.2 and 1.4.3 (Wiz, 2026-05-20). The payload is a dropper that fetches rope.pyz from check.git-service[.]com; per Wiz the second stage is a full credential stealer targeting AWS, Azure, GCP, Kubernetes and Vault credentials, 1Password and Bitwarden vaults, filesystem credentials and shell history. Propagation per Wiz: on Kubernetes hosts the worm uses kubectl exec; on AWS EC2 instances it propagates via AWS Systems Manager SendCommand against up to 5 targets per host (T1078.004 Cloud Accounts, T1570 Lateral Tool Transfer).

Grafana Labs. Grafana Labs published the post-mortem of its own TeamPCP breach on 2026-05-19, confirming the root cause was a single GitHub Actions workflow token that slipped through the rotation process after the TanStack npm supply-chain attack (Grafana Labs, 2026-05-19; BleepingComputer, 2026-05-20). Per Grafana's own post-mortem the TanStack compromise was detected on 2026-05-11 (note: BleepingComputer cites 2026-05-01 for the malicious-package consumption event — surfaced as a contradiction in § 7); Grafana rotated the bulk of its GitHub workflow tokens, but the residual unrotated token gave TeamPCP access to clone private source-code repositories (exact count not disclosed in Grafana's post-mortem). Grafana refused the extortion demand on 2026-05-16. The exfiltration scope is confirmed limited to Grafana Labs GitHub repositories (public source code, private source code and internal repos); customer production data was not affected.