GitHub Confirms Internal Breach: TeamPCP Exfiltrates ~3800 Repositories via Poisoned VS Code Extension

GitHub Confirms Internal Breach: TeamPCP Exfiltrates ~3,800 Repositories via Poisoned VS Code Extension

A single malicious developer plugin installed on one employee’s workstation was enough to hand a sophisticated supply-chain threat actor the keys to GitHub’s internal codebase — including Copilot, Enterprise Server, and Red Team repositories.

What Happened

GitHub, the world’s largest code hosting platform owned by Microsoft, confirmed on May 20, 2026 that it had suffered a significant internal security breach. The company disclosed that a threat actor gained unauthorized access to its internal source code repositories after a GitHub employee installed a compromised Visual Studio Code (VS Code) extension downloaded directly from the official VS Code Marketplace.

The attack was detected on May 19, 2026. In a statement on X (formerly Twitter), GitHub said: “Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began rotating high-impact credentials.”

The breach allowed the attacker to exfiltrate roughly 3,800 internal code repositories — a massive chunk of GitHub’s private codebase. GitHub’s official assessment noted that the attacker’s own claims of approximately 3,800 repositories are “directionally consistent” with findings from its ongoing investigation.

Who Is Behind It: TeamPCP

The hacking group TeamPCP, also tracked by Google Threat Intelligence Group under the designation UNC6780, has claimed responsibility for the operation. The group is a financially motivated cybercrime collective specializing in supply chain attacks targeting developer tooling and CI/CD infrastructure.

TeamPCP has an extensive and accelerating track record in 2026 alone, having previously compromised tools and organizations including Trivy (via CVE-2026-33634, affecting over 1,000 organizations including Cisco), Checkmarx, Bitwarden CLI, TanStack, and others — all through developer-side tooling. The group also open-sourced its own worm, known as Shai-Hulud, in May 2026, effectively lowering the barrier for copycat attacks.

“Developer workstations are the number one target in supply chain attacks right now… A single VS Code extension on one employee’s machine was enough to get access to 3,800 internal GitHub repositories.”

— Mackenzie Jackson, Developer Relations, Aikido Security

Reports also indicate that LAPSUS$, the notorious cybercrime group, has teamed up with TeamPCP for a joint sale of the stolen data, listing it at $95,000. TeamPCP has been explicit that this is a direct sale rather than an extortion scheme, stating: “No ransom, we do not care about extorting GitHub. If no buyer is found, we leak for free.”

What Was Stolen

Based on file directories and screenshots released by the hackers, the stolen repositories span multiple critical functions of the GitHub platform. Known compromised areas include:

According to security researcher Rakesh Krishnan, the leaked repositories relate to GitHub Actions, agentic workflows, Copilot internal projects, CodeQL tools, internal infrastructure, and security tooling. The presence of github-ui-xss-hardening-research.tar.gz is particularly notable, as it suggests exposure of internal vulnerability mitigation research.

How the Attack Worked

The attack followed a supply chain pattern increasingly favored by TeamPCP: compromising a developer tool and using it as the initial access vector. The specific VS Code extension involved has not been publicly named by GitHub. Once installed, the malicious extension silently harvested credentials from the employee’s environment, granting the attackers authenticated access to internal GitHub systems.

This method is consistent with the group’s broader Shai-Hulud worm campaign, which propagates by stealing tokens from infected environments and using them to pivot deeper into target infrastructure. Because the malicious code executes automatically at import with no visible error messages, detection is extremely difficult without dedicated security tooling.

Just one day prior to the GitHub breach, the Nx Console VS Code extension — with 2.2 million installs and verified publisher status — was briefly backdoored in a separate incident, underscoring how the official VS Code Marketplace has become a major unmonitored attack surface in 2026.

Incident Response Timeline

Impact on Customers

GitHub has been careful to distinguish between its internal repositories and customer data. In its statement, the company said: “We currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories).” However, the company has cautioned that as the investigation is still ongoing, this assessment could change.

Security teams across the industry are urging developers to rotate any active API keys and secrets stored within private repositories as a precautionary measure, given the scope of the internal data exposed.

Broader Implications

The GitHub breach is a landmark event in what has become a sustained campaign against developer infrastructure in 2026. TeamPCP has now successfully compromised some of the most trusted tools in the software supply chain — Trivy, Checkmarx, Bitwarden CLI, TanStack, and now GitHub itself — all through the same attack surface: developer workstations and the tooling that runs on them.

The security lesson, as one analyst put it, is stark: “The security perimeter does not end at the datacenter door — it ends on the developer’s laptop.” As long as the VS Code Marketplace and similar extension ecosystems lack rigorous, real-time code review and integrity verification, this attack surface will remain wide open.

GitHub has committed to publishing a detailed security investigation report to share its findings and help the broader community learn from the incident.