GitHub probes breach of internal code repositories following security incident
The developer platform acknowledged that an intruder gained entry to its internal repositories through a compromised code extension, while TeamPCP has taken responsibility for the attack.
On Wednesday, GitHub announced it is conducting an investigation into illicit access to its internal code repositories after an employee's computing device was compromised.
"At this time, we have not identified any evidence suggesting that customer data housed outside of GitHub's internal repositories has been affected, though we continue to actively monitor our infrastructure for any subsequent malicious activity," the development platform stated in an official announcement.
In a follow-up communication, GitHub disclosed that it identified and successfully mitigated a compromise involving an employee's device on Tuesday, which involved a malicious VS Code extension. "We promptly removed the harmful extension version, quarantined the affected endpoint, and initiated our incident response protocols without delay," the company elaborated.
As the premier platform for software developers worldwide, GitHub hosts countless open source projects and code repositories on its infrastructure for millions of users.
TeamPCP claims responsibility
Concurrently, a cybercriminal organization known as TeamPCP has purportedly taken credit for the security breach and has made attempts to monetize the stolen GitHub data on underground markets, asserting possession of "4,000 repos of private code" associated with GitHub's core platform and various internal organizations.
According to SecurityWeek's reporting, TeamPCP operates as a highly sophisticated, automation-focused hacking collective that transforms compromised development tools into systems designed to harvest credentials for monetary profit.
"If you have API keys in your code, even private repos, now is the time to double-check and change them," Binance founder Changpeng Zhao said.
This security incident emerged merely one day following Grafana Labs' announcement on Tuesday that the open-source data observability company fell victim to a supply-chain attack during which malicious threat actors gained entry to its GitHub repositories and exfiltrated its source code.
The perpetrators behind the Grafana attack issued ransom demands while threatening to expose the stolen data, though the company chose not to comply with their demands.
Additionally, this breach occurred not long after the April 28 public announcement of a critical remote code execution security flaw, CVE-2026-3854, which enabled authenticated users to run arbitrary commands on GitHub's server infrastructure.
At the time of discovery, Wiz Research, the security firm that identified the critical vulnerability, revealed that millions of both public and private repositories owned by various users and organizations were potentially accessible on the compromised nodes.