GitHub confirmed that a third party gained unauthorized access to 3,800 internal repositories after a breach detected on May 19.
GitHub detection, immediate containment, and remediation steps
According to the company, its security team discovered the incident when a “poisoned” Visual Studio Code (VS Code) extension was found on an employee device. GitHub said it has “contained” the breach and described a set of immediate actions: “We removed the malicious extension version, isolated the endpoint and began incident response immediately. Critical secrets were rotated yesterday and overnight with the highest-impact credentials prioritized first.”
The company added that it is still working through follow-up tasks: “We continue to analyze logs, validate secret rotation, and monitor for any follow-on activity. We will take additional action as the investigation warrants.” GitHub also promised to publish a more detailed report when the investigation is complete.
Malicious VS Code extension as the attack vector
The intrusion is attributed to a malicious third‑party VS Code extension. VS Code is identified in the report as “a free, open‑source code editor developed by Microsoft” and is noted to be commonly used with GitHub Copilot, an AI coding assistant.
GitHub’s description links the extension directly to the employee endpoint that led to the internal access, prompting the rapid rotation of “critical secrets” and the isolation of the implicated device.
Claims by TeamPCP and the group’s stated intentions
The breach was claimed on the Breached cybercrime forum by a group calling itself TeamPCP. In their post the group alleged they had gained access to GitHub source code and “~4000 repos of private code.”
TeamPCP set a minimum price for the data, saying they were “not interested in under 50k” and that “the best offer will get it.” They framed the sale as selective, asserting they would only sell the data to one buyer and that they would delete the stolen data once a buyer was found. At the same time the group warned that if no buyer was found, they would leak the data for free. They also insisted the incident was “not a ransom” and that they were not interested in extorting GitHub.
TeamPCP’s prior campaign and operational model
The report places this incident in the context of TeamPCP’s broader supply‑chain campaign. TeamPCP has “rapidly gained notoriety for large‑scale software supply chain attacks,” repeatedly compromising projects such as Aqua Security’s Trivy vulnerability scanner and Checkmarx’s KICS infrastructure‑as‑code analyzer via attacks on GitHub Actions and other development components.
The group also moved into the Python Package Index (PyPI), directly compromising legitimate packages including the LiteLLM AI Gateway client library and Telnyx’s official SDK by publishing backdoored releases. In addition to direct compromises, TeamPCP has used PyPI typosquatting and other deceptive techniques to push credential‑stealing malware to downstream users, aiming to harvest cloud credentials, SSH keys, Kubernetes configurations and other software development secrets.
Public statements attributed to TeamPCP and allied actors describe an operational model in which TeamPCP provides initial access via compromised supply‑chain components, while other groups handle later stages. The report names Lapsus$ and the Vect ransomware group as partners, with Vect described as handling encryption and extortion and BreachForums providing an operator base. A distinct threat framework called “PCPJack” is also mentioned; it reportedly seeks out and removes TeamPCP artifacts from compromised environments before spreading laterally to steal additional cloud credentials, underscoring a competitive and monetized ecosystem around these campaigns.
What this means for technologists, enterprises, and open‑source maintainers
- Technologists and security teams: GitHub’s rapid removal of the extension, endpoint isolation and prioritized secret rotation demonstrate an incident‑response sequence focused on containing credential exposure and revoking high‑impact access.
- Enterprises and procurement leaders: The claimed access to thousands of internal repositories — and TeamPCP’s prior success in harvesting cloud credentials and keys — signals that organizations relying on shared development platforms may need to verify that their secrets and access tokens were included in GitHub’s prioritized rotations.
- Open‑source maintainers: TeamPCP’s history of compromising supply‑chain components, PyPI packages, and using typosquatting highlights ongoing risk to development tooling and package ecosystems that depend on third‑party code and automated actions.
GitHub’s public statement frames the incident as contained and ongoing investigation work, while TeamPCP’s claim and unusual posture — offering the data for sale to a single buyer while insisting it is “not a ransom” — leave open the immediate disposition of the alleged copies of internal repositories. The company’s pledge to publish a fuller report will be key to clarifying which repositories and which credentials were affected.
Original report: https://www.infosecurity-magazine.com/news/github-confirms-breach-vs-code/




