In this episode of Bad Dependencies, we analyze the reported leak of GitHub's source code and the sale of thousands of its repositories. We map out the chain of events leading up to the incident, including recent compromises of a Visual Studio Code extension and a PyPI package. The discussion covers the tactics of the threat actor group Team PCP, the practical limitations of rapid credential rotation at scale, and why implementing a cooldown period for dependency updates can help safeguard your development pipeline. -- This episode is sponsored by Aikido Security: Protect your developer environments from supply chain attacks with Aikido Device Security. Learn more at aikido.dev/protect/device-protection.