GitHub probes breach; TeamPCP claims 4,000 private repos

GitHub is investigating unauthorized access to internal repositories after an employee device was compromised by a malicious Visual Studio Code extension. The company said it detected and contained the compromise on Tuesday, removed the malicious extension version, isolated the endpoint and began incident response.

A hacking group calling itself TeamPCP has posted on underground forums claiming it stole data and is offering 4,000 private repositories related to GitHub’s main platform and internal organizations for sale. GitHub has not confirmed the authenticity of the repositories or the full scope of any data taken.

Security researchers describe TeamPCP as an automation-focused actor that converts compromised developer tools into credential-harvesting platforms used for financial gain. According to GitHub’s account of the incident, the infection originated with a poisoned VS Code extension on the employee’s machine.

The disclosure follows two recent incidents affecting developer infrastructure. One day before GitHub’s announcement, an open-source observability company reported a supply-chain attack in which intruders accessed its GitHub repositories, downloaded code and issued a ransom demand. In a separate matter, a critical remote code execution vulnerability tracked as CVE-2026-3854 was publicly disclosed on April 28. Researchers who reported that flaw said it allowed authenticated users on affected nodes to execute arbitrary commands and exposed millions of repositories on those servers. GitHub has been working to address the vulnerability since its disclosure.

Industry figures urged immediate credential hygiene. Binance founder Changpeng Zhao advised developers to check and rotate API keys stored in code, including those in private repositories. GitHub encouraged customers to follow standard security practices such as rotating credentials and reviewing repository access logs.

GitHub stated it currently has no evidence that customer information stored outside its internal repositories was affected and that it is closely monitoring infrastructure for follow-on activity. The company did not provide a timeline for the investigation or disclose whether law enforcement has been notified. GitHub said it will provide updates as the inquiry progresses.