GitHub confirms ~3,800 internal repos breached via poisoned VS Code extension. TeamPCP (UNC6780) sells stolen source code for $50,000

Continue reading
GitHub is investigating a breach of its internal repositories after the TeamPCP hacker group claimed to have accessed approximately 4,000 repositories containing private code.
The company confirmed on May 20, 2026, that hackers compromised an employee's device using a poisoned VS Code extension, gaining unauthorized access to approximately 3,800 internal repositories.
Threat group TeamPCP claimed credit for the exfiltration on cybercrime forums, offering the data for $50,000. GitHub confirmed there is no evidence of exposure or secondary impact hitting customer data or enterprise accounts.
GitHub's cloud-based development platform is used by more than 4 million organisations — including 90% of the Fortune 100 — and over 180 million developers who contribute to more than 420 million code repositories. A breach of GitHub's own internal source code therefore carries consequences that extend far beyond the immediate incident — every proprietary architecture decision, security implementation pattern, and internal API design potentially now sits in the hands of a threat actor actively soliciting buyers.
May 19, 2026 — Initial Public Disclosure
Following the circulation of TeamPCP's claims, GitHub publicly confirmed an ongoing investigation into the matter. In a statement released via X, the company acknowledged the unauthorized access but sought to reassure users regarding the safety of customer data.
GitHub's statement read: _"We are investigating unauthorized access to GitHub's internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub's internal repositories (such as our customers' enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity."_
May 20, 2026 — Attack Vector Confirmed
GitHub confirmed the timeline directly in a public thread: _"Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately."_
Post-Detection — Active Containment
GitHub said it rotated critical keys _"yesterday and overnight"_ and is still checking logs, validating key rotations and watching for further activity.
The entry mechanism here is technically significant and warrants close examination. Rather than exploiting a perimeter vulnerability or leveraging supply-chain token theft, the attack vector was deceptively simple: a threat actor embedded malware inside a VS Code extension, a GitHub employee installed the poisoned version, and from there the attacker gained access to the employee's device and began exfiltrating data from internal repositories.
The attacker compromised a GitHub account via a previous attack, dumped GitHub secrets from a repository to which the user had access, and from there had access to further internal infrastructure. This multi-stage pivot — device compromise → secrets dump → internal repository access — is a textbook island-hopping lateral movement pattern, where each compromised resource becomes the stepping stone to the next.
The VS Code extension marketplace — which GitHub's parent company Microsoft operates — becomes a critical attack surface in this context. A developer installing an extension from a seemingly legitimate publisher has no viable mechanism to detect a maliciously injected version without active secret scanning or behavioural endpoint monitoring.
TeamPCP has since claimed responsibility on underground cybercrime forums. The group alleges it obtained data from roughly 4,000 private repositories, including proprietary platform source code and internal organization files, and is reportedly attempting to sell the dataset for over $50,000.
GitHub assessed that the attacker's claim of approximately 3,800 repositories is _"directionally consistent"_ with its investigation findings so far. This unusual degree of self-corroboration — where the victim's own investigation validates the attacker's claimed scope — significantly elevates the credibility of the breach beyond an unverified forum posting.
What is explicitly being sold, per the forum listing:
TeamPCP claimed access to _"GitHub's source code and internal orgs"_ on the Breached hacking forum, asking for at least $50,000 — stating: _"No low ball offers will be accepted, everything for the main platform is there and I am very happy to send samples to interested buyers to verify the absolute authenticity. There is a total of around ~4,000 repos of private code here."_
Notably, the post explicitly frames this as non-extortion: _"As always this is not a ransom. We do not care about extorting GitHub, 1 buyer and we shred the data on our end, it looks like our retirement is soon so if no buyer is found we will leak it free."_
Proof of Claim Published:
To validate their claims, TeamPCP published a public file list and screenshots displaying numerous repository archive names. The group stated its willingness to provide data samples to serious buyers to prove authenticity.
TeamPCP, tracked as UNC6780 by the Google Threat Intelligence Group, is a financially motivated threat actor known for executing sophisticated supply chain attacks. The group has demonstrated advanced capabilities in exploiting CI/CD pipelines, leveraging stolen credentials, and abusing privileged access tokens to infiltrate development environments.
2026 Campaign Track Record
Earlier in 2026, the group successfully compromised several major security and development tools. Via CVE-2026-33634, the Trivy Vulnerability Scanner was exploited, leading to the breach of over 1,000 organizations including Cisco. Checkmarx and LiteLLM were targeted in a high-velocity campaign aimed at credential harvesting within CI/CD pipelines. The group also leaked the source code for their own Shai-Hulud malware directly onto GitHub using compromised accounts.
Ongoing Mini Shai-Hulud Campaign
TeamPCP's self-replicating malware campaign, known as Mini Shai-Hulud, continues to expand in reach with the compromise of `durabletask` — an official Microsoft Python client for the Durable Task workflow execution framework. Three malicious package versions have been identified: 1.4.1, 1.4.2, and 1.4.3.
TeamPCP's Own Statement Post-Breach
An X account linked to TeamPCP, xploitrsturtle2, stated: _"GitHub knew for hours, they delayed telling you and they won't be honest in the future. What an amazing run, it's been an honor to play around with the cats over the past few months."_
The phrase "past few months" implies a prolonged period of access or reconnaissance prior to the exfiltration event — a detail that neither GitHub nor any investigative body has yet formally addressed.
The security breach response moved on multiple fronts simultaneously. GitHub rotated critical secrets on the same day as detection, prioritizing the highest-impact credentials first.
The security team isolated the affected endpoint immediately. Analysts are continuously examining logs for any follow-on activity. Additionally, the marketplace removed the malicious VS Code extension version from circulation. GitHub committed to publishing a fuller report once the investigation is complete, pledging to notify customers through established incident response channels if any customer impact is discovered.
This breach does not arrive in isolation. In early March 2026, GitHub patched a critical remote code execution vulnerability — CVE-2026-3854 — that could have allowed attackers to access millions of private repositories.
The flaw was reported by researchers at cybersecurity firm Wiz through GitHub's bug bounty program. GitHub's CISO Alexis Wales said the security team reproduced and confirmed the vulnerability within 40 minutes and deployed a fix to GitHub.com less than two hours after receiving the report.
The March RCE patch and the May device-compromise breach, taken together, outline a platform under sustained, sophisticated pressure in 2026 — from both external bug hunters and active threat actors with established CI/CD infiltration capabilities.

U.S. Army recruiting pages hijacked to display fake 404 errors reading ‘Kurdistan’, exploiting a third-party tool and exposing .mil web security gaps.