GitHub has confirmed that a hacker stole at least 3,800 internal repositories, and a known criminal group has claimed responsibility and put the data up for sale on an underground forum. The Microsoft-owned platform also confirmed that the cause of the security breach was a developer using a malicious VS Code script, but also said that it has not seen any signs of customer data being impacted.
Security breach claimed by TeamPCP, Lapsus$ assists with data sale
On May 19 GitHub confirmed the security breach across its social media channels, verifying that there was unauthorized access to internal repositories and stating that it was monitoring the situation for further activity. It also said that it had no evidence that information stored in customer repositories or internal information about customers was compromised. GitHub has also since added that it removed the poisoned VS Code extension.
The security breach was claimed by TeamPCP, a fairly recently formed but now established and effective hacking group that seems to be focusing heavily on poisoning open source materials. The group already has some major breaches under its belt including a spate of exploits of the React2Shell vulnerability in late 2025, a March breach of Aqua Security’s Trivy vulnerability scanner that resulted in the theft of downstream customer credentials, and theft of npm tokens from the Bitwarden CLI release pipeline.
The group is also following the general criminal hacker trend of temporary teamups with other prominent groups that are mutually beneficial, in this case making use of Lapsus$’s data breach portal to offer the stolen GitHub repositories for sale. It has previously been observed partnering with the Vect ransomware group, but also has developed a rival in the PCPJack group which has successfully attacked it with a worm and stolen some of its internal tools.
The data from the GitHub security breach was initially offered for $50,000 USD, but the asking price has since spiked to $95,000 after the group moved their sales operation from BreachForums to the Lapsus$ portal.
Theft of repositories continues rattling of GitHub user confidence
“No evidence” of customer compromise is of course good news in the wake of a security breach, but the problem is that it does not preclude the possibility of such data being stolen and that theft being discovered and disclosed later.
Boris Cipot, Principal Security Engineer at Black Duck, expands on how the breach could potentially expand as investigations continue: “Although GitHub may be an obvious target, we do not yet know the full effect this unauthorized access has caused and if this was the end goal of the malicious actor. GitHub is one of the most critical platforms in the global software supply chain, used by millions of developers and organizations. We need to understand that compromising GitHub, even partially, can expose source code, secrets, and internal development logic which can then be used in further attacks or ransom attempts. While GitHub is the attacked party in this case, there are many more tools that can become a target due to the same reason: code storage and developer interest.“
“For GitHub users, the takeaway is simple but important. Assume the supply chain can be compromised at any point. Users should enforce strong authentication, especially MFA, and tightly control access to repositories and tokens. Review and limit third‑party integrations, extensions, and dependencies, as these are now common attack paths. Additionally, rotate credentials regularly and monitor for unusual activity in repositories and pipelines. Most importantly, teams need to treat their development environment as production‑critical. Security can no longer stop at the application. It must cover the entire software supply chain,” added Cipot.
The news of the security breach has been met with some cynicism as GitHub has been struggling with a number of security and reputational issues. Aside from the breach, one of the biggest stories about GitHub has been its severe drop in uptime as of late. A study published this month found that the service had only been up for about 85% of the prior 90 days, out for an average of two to three hours daily. The longest of these stretches, a six-hour Elasticsearch outage on April 27, prompted some developers to announce they were seeking more reliable alternatives to move to. Just a day after that, security firm Wiz disclosed a critical vulnerability that allowed a threat actor to access any repositories on the platform with a simple “git push” command. GitHub CTO Vlad Fedorov has said that the platform is struggling to keep up with new load created by AI agents, and that it has eighteen years worth of “technical debt” to work through.
Microsoft did not name the tainted VS Code extension that caused this recent breach at first, but it was soon linked to (and later confirmed to be) Nx Console. This extension has over two million installs and was backdoored for only a very short time the day before the GitHub security breach was disclosed, but is thought to have compromised numerous users that auto-updated during that window. Weaponized VS Code extensions have been popular with hackers for years now, dating back to well before TeamPCP went into action. A campaign in 2025 saw at least 10 that were listed as legitimate development tools end up infecting victims with the XMRig cryptominer. And early this year, two extensions labeled as AI-based coding assistants that racked up over a million installs were found to contain malware that was quietly exfiltrating victim data to servers in China.
Ilkka Turunen, Field CTO at Sonatype, urges organizations to take note of trends such as this that can be observed in attacks on open source dependencies: “This is another reminder that developers are now permanent targets in software supply chain attacks. TeamPCP has shown how a motivated attacker can move through the tools developers trust every day — open source packages, extensions, accounts and credentials — rather than trying to break in through the front door.”
‘‘The software supply chain is now an operational attack surface, not just a dependency management problem,” Turunen added. ‘‘Organisations need visibility and preventative controls across the full developer workflow — from package intake and IDE extensions to CI pipelines and credential use — because reactive detection alone will not keep pace with attackers moving at ecosystem speed.”
TeamPCP has said that they will take no less than $50,000 for the data stolen from the GitHub repositories and will sell it to the highest bidder, but will leak it for free if they do not get a paying buyer in their price range.
Jason Soroko, Senior Fellow at Sectigo, expands on what this extortion approach means to organizations that might be similarly targeted: “The impact of the TeamPCP breach extends far beyond the immediate exposure of proprietary algorithms and instead strikes at the foundational trust placed in centralized code repositories. When the architect’s blueprints are auctioned to the highest bidder, the broader security paradigm must shift from perimeter defense to absolute architectural resilience. Security leaders should look past standard incident response protocols and begin evaluating decentralized hosting frameworks alongside zero-trust development pipelines. This exposure serves as a stark catalyst for the software industry to recognize that relying on a single monolithic entity for global code stewardship remains an inherently fragile strategy.”

