← Back to Home
May 22, 2026

GitHub Got Hacked and Google No Longer Needs You to Search

Hacker Group Poisoning Open Source Code at Unprecedented Scale
SECURITY

Hacker Group Poisoning Open Source Code at Unprecedented Scale

A single hacker group has pulled off more software supply chain attacks in the last few months than most security researchers see in years — and their latest victim is GitHub itself.

The group, known as TeamPCP, has infected over 500 distinct open source packages across 20 separate attack waves, according to cybersecurity firm Socket. That's not a typo. Five hundred packages. And counting all the different versions of compromised code, the number climbs well past a thousand. For an attack type that used to be a rare, haunting exception in cybersecurity circles, this is an extraordinary volume.

The GitHub breach — confirmed by the company this week — is their most high-profile hit yet. The entry point was almost embarrassingly mundane: a developer at GitHub installed a compromised VSCode extension, a plug-in for a popular code editor. That one poisoned install gave TeamPCP access to roughly 3,800 internal GitHub repositories. The company says the exposed code appears to be its own internal software, not customer data, but the investigation is ongoing.

TeamPCP wasted no time advertising their haul. On BreachForums, the group posted an offer to sell GitHub's source code and internal organization data, claiming to have samples ready for anyone who wants to verify the goods. It reads like a Craigslist listing, if Craigslist listings could destabilize global software infrastructure.

Here's why this matters beyond the GitHub name on the headline: the open source software ecosystem is the invisible foundation under nearly every application you use. When attackers corrupt a tool that thousands of developers trust and install without a second thought, the blast radius is enormous. TeamPCP's playbook is to compromise a legitimate, widely-used tool — think data visualization libraries, code editor extensions, developer utilities — plant malware inside it, and then wait for the infections to spread naturally as developers do what developers do: download and use software.

Ben Read, who leads threat intelligence at cloud security firm Wiz, put it plainly. GitHub may be the biggest name TeamPCP has taken down, but it's not qualitatively different from the roughly 14 breaches the group pulled off the week before. The organizations just weren't famous enough for anyone outside their industry to notice.

Previous victims include OpenAI and data contracting firm Mercor. The pattern suggests TeamPCP isn't going after specific high-value targets with surgical precision — they're casting an extraordinarily wide net and monetizing whatever they catch, whether through extortion or selling access to the highest bidder.

The deeper problem is structural. Open source software runs on trust. Developers share code, build on each other's work, and install packages without auditing every line. That collaborative culture is what makes open source so powerful — and exactly what TeamPCP is exploiting. There's no clean fix here. Better tooling and more scrutiny help, but as long as developers need to move fast and software supply chains remain complex, groups like TeamPCP will keep finding unlocked doors.

For now, the question isn't whether another major company is on TeamPCP's list. It's which one, and when.
Source: Ars Technica
AI

Google's Post-Search Era Arrives with Proactive AI Agents

Google's biggest product announcement at I/O this year wasn't a new phone or a flashy demo. It was a quiet redefinition of what Google actually is — and it has enormous implications for everything from how you find information to whether the open web survives the decade.

The core idea is this: Google is building AI agents that search the internet on your behalf, proactively, without you asking. You don't type a query. You don't even necessarily know it's happening. The AI anticipates what you need and goes looking. In Google's vision of the near future, the act of "googling" something might happen entirely in the background, mediated by a system that decides what's relevant and surfaces a packaged answer.

That's a genuinely radical shift for a company whose entire identity — and roughly $175 billion in annual advertising revenue — has been built on being the place people go when they want to know something. If the AI handles the searching, the traditional search results page, the blue links, the ads sitting above the fold — all of it starts looking like an endangered species.

Google seems aware of the tension and, according to reporting from The Verge's Nilay Patel who attended I/O and spoke with CEO Sundar Pichai, the company is surprisingly confident about where it stands. That confidence is worth interrogating. Google has the data, the infrastructure, and the distribution that most AI competitors can only dream about. Android is on billions of devices. Chrome owns the browser market. Gmail and Google Docs sit at the center of how people work. When Google wants to put an AI agent in front of users, it has more on-ramps than any rival.

But the transition isn't friction-free. If AI agents are doing the browsing, publishers and websites lose traffic. Less traffic means less ad revenue. Less ad revenue means fewer resources to produce the journalism, research, and content that the AI was trained on and continues to pull from. It's a feedback loop that nobody has fully solved, and Google's success in this new era might quietly hollow out the ecosystem it depends on.

There's also a more philosophical question lurking underneath all of this. Search, at its core, has always been about giving people access to information and letting them decide what to do with it. An AI agent that searches for you, filters the results, and delivers a synthesized answer is doing something meaningfully different. It's making judgment calls. It's deciding what matters. That's a lot of editorial power concentrated in a system most users won't examine or question.

None of this means Google is guaranteed to win the AI era — plenty of well-resourced incumbents have fumbled transitions before. But right now, Google is making a clear bet: the future of its business isn't a search box. It's an AI that already knows what you're looking for before you do. Whether that's exciting or unsettling probably depends on how much you trust the company doing the anticipating.
Source: The Verge

Enjoyed this?

Get stories like this delivered every Tuesday — free.