GitHub Breach: TeamPCP Steals 3,800 Repositories via VS Code Extension

Summary

GitHub discovered a breach on May 19, 2026, where the financially motivated TeamPCP group (tracked as UNC6780) compromised a developer's corporate device through a malicious VS Code extension, exfiltrating approximately 3,800 internal repositories. The threat actors are now selling the stolen code on a cybercrime forum for $95,000, warning they will leak it publicly if no buyer emerges. This marks the fifth high-profile target hit by TeamPCP this year, reflecting a growing trend of supply chain attacks against developer tooling using the Mini Shai-Hulud infostealer worm.

Full text

Data Breaches SecurityGitHub Breach: TeamPCP Steals 3,800 Repositories via VS Code Extension GitHub Breach: TeamPCP stole 3,800 internal repositories through a malicious VS Code extension and is now selling the data online for $95,000. byDeeba AhmedMay 20, 20263 minute read GitHub is the newest target of a data breach in which hackers from the infamous TeamPCP hackers bypassed its security to gain access to internal systems and steal proprietary source code. This widely used software hosting platform detected the breach on Tuesday, 19 May 2026. Initial investigation suggests that the attackers compromised a corporate device belonging to one of GitHub‘s developers while the entry point was an unnamed poisoned extension for Microsoft Visual Studio Code (VS Code), a popular tool used for writing software. This device compromise allowed the attackers to exfiltrate around 3,800 internal code repositories. This is shocking because it means a massive chunk of GitHub’s private codebase is now in adversaries’ hands. The platform published a technical update on X on 20 May 2026 to lay out its incident response, confirming that it has isolated the infected device, wiped the malicious VS Code extension, and spent the night rotating high-impact credentials and cryptographic keys to revoke the threat actors’ access for good. GitHub on X (Image credit: Hackread.com) TeamPCP Strikes Again TeamPCP, a financially motivated cybercrime group tracked by Google Threat Intelligence as UNC6780, has claimed responsibility for GitHub’s network intrusion. An X account reportedly linked to the hackers, using the handle xploitrsturtle2, even taunted GitHub for delaying the public announcement of the incident. As seen by Hackread.com, TeamPCP has listed GitHub’s stolen source code and internal organisation data for sale on a cybercrime forum with an initial asking price of over $95,000. In their forum post, TeamPCP specified that this is a direct data sale rather than a traditional ransomware extortion scheme, and warned that if a single buyer doesn’t materialize, they will leak the repository archive names and files publicly for free. TeamPCP on a partner forum announcing GitHub data breach claims (Image credit: Hackread.com) An Unsettling Year for Developers This is the fifth time this year that TeamPCP has successfully targeted a prominent firm. Hackread.com has been highlighting the group’s growing preference for supply chain attacks, especially against developer tooling, with its earlier victims this year including big names like Checkmarx, Bitwarden CLI, and TanStack. Security experts at Aikido Security highlight that TeamPCP actors automate their campaign using an advanced, self-replicating infostealer worm known as Mini Shai-Hulud, engineered to steal Continuous Integration and Continuous Delivery (CI/CD) credentials, cloud access keys, and Personal Access Tokens from developer environments. After capturing valid tokens, it uses them to publish infected versions of other software packages, such as the official Microsoft Python framework client, durabletask. In its latest update, GitHub has emphasised that the breach only impacted its internal repositories. The platform also claims that it found no evidence that customer data or infrastructure outside its internal networks were accessed/compromised; however, it is still monitoring its infrastructure for follow-on activity and conducting further investigation. This is a developing situation, and we will publish an update as soon as the company shares more details. Experts’ Perspectives Speaking on the incident, security experts shared their analysis with Hackread.com. Charlie Eriksen, Security Researcher at Aikido Security, commented on the technical exposure of VS Code extensions and a separate, largely unreported incident the day before: “The thing people underestimate about VS Code extensions is that they have full access to everything on the developer’s machine. Credentials, cloud keys, SSH keys, all of it. The day before the GitHub breach was disclosed, a completely separate extension called Nx Console, with 2.2 million installs, was also briefly backdoored. The community caught that one in 11 minutes, which sounds fast until you realise how many machines auto-update in that window.“ “GitHub still hasn’t named the extension used in their breach, and blocking something malicious always depends on it being identified first. EDR doesn’t cover this layer at all. What’s missing for most organisations is any kind of visibility into what’s actually running on developer machines and the ability to control it.” Mackenzie Jackson, Developer Relations at Aikido Security, explained why developer workstations are the number one target right now and what security teams are still consistently missing: “Developer workstations are the number one target in supply chain attacks right now, and this is exactly why. TeamPCP has compromised Trivy, Checkmarx, Bitwarden CLI, TanStack, and now GitHub, all in 2026, all through developer tooling. “A single VS Code extension on one employee’s machine was enough to get access to 3,800 internal GitHub repositories. Most security teams still have zero visibility into what extensions or packages are on their developers’ machines, or how recently they were published. That’s the blind spot these attacks keep walking through,“ Mackenzie emphasized. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. Waqas I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cybersecurity and tech world. I am also into gaming, reading and investigative journalism. Cyber AttackCyber CrimeCybersecuritydata breachExtensionGitHubTeamPCPVS Code Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security Hacking News Weee! Grocery Service Hacked, 1.1m Accounts Leaked The stolen Weee! database has been leaked on the infamous BreachForums and Russian-speaking cybercrime forums. byHabiba Rashid Security Cyber Attacks DDoS Attack on DNS; Major sites including GitHub PSN, Twitter Suffering Outage Major websites have gone down worldwide — The reason is still unclear but a major DNS provider is… byWaqas Read More Security CISA Warns of Vulnerabilities in Propump and Controls’ Osprey Pump Controller CISA’s advisory came after the Macedonian cybersecurity firm Zero Science Lab discovered and reported the vulnerabilities to authorities. byHabiba Rashid Security Malware Ransomware Attack Wipes Out Police and Fire Department Data The city of Riverside’s Police and Fire department has been hit by a ransomware attack once again –… byWaqas

Indicators of Compromise

• malware — Mini Shai-Hulud

Entities