GitHub Source Code Breach – TeamPCP Claims Access to Internal

A notorious threat actor operating under the alias TeamPCP claims to have breached GitHub’s internal systems, allegedly exfiltrating proprietary organization data and source code.

The attackers are offering the stolen dataset for sale on underground cybercrime forums, demanding offers exceeding $50,000.

According to the threat actor’s post, the compromised data encompasses approximately 4,000 private repositories tied directly to GitHub’s main platform.

To validate their claims, TeamPCP has published a public file list and screenshots displaying numerous repository archive names. The group has stated its willingness to provide data samples to serious buyers to prove authenticity.

Following the circulation of these claims, GitHub publicly confirmed an ongoing investigation into the matter. In a statement released via X (formerly Twitter), the company acknowledged the unauthorized access but sought to reassure users regarding the safety of customer data.

“We are investigating unauthorized access to GitHub’s internal repositories,” GitHub stated. “While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity”.

TeamPCP, formally tracked by the Google Threat Intelligence Group as UNC6780, is a highly capable, financially motivated threat group known for orchestrating severe cross-ecosystem supply chain attacks.

Earlier in 2026, the group successfully compromised several major security and development tools:

• Trivy Vulnerability Scanner: Exploited via CVE-2026-33634, leading to the breach of over 1,000 organizations, including Cisco.
• Checkmarx and LiteLLM: Targeted in a high-velocity campaign aimed at credential harvesting within CI/CD pipelines.
• Shai-Hulud Malware: The group recently leaked the source code for their own Shai-Hulud malware directly onto GitHub using compromised accounts.

TeamPCPs’ operational pattern, leveraging stolen CI/CD credentials and privileged access tokens to pivot deeper into target infrastructure, makes the current claim technically credible.

The investigation is ongoing. GitHub has not disclosed how the alleged access was obtained, nor has it confirmed or denied the validity of the 4,000-repository claim.

Further updates are expected as the inquiry progresses.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.