GitHub Confirms Breach of Internal Repos from Hacked Device

GitHub has confirmed unauthorized access to its internal repositories, disclosing the incident in a series of official statements on May 20, 2026.

The Microsoft-owned code hosting platform said it identified and contained the breach after a poisoned VS Code extension was used to compromise an employee’s endpoint.

GitHub immediately removed the malicious extension version, isolated the affected device, and activated its incident response procedures.

GitHub’s investigation indicates the attacker successfully exfiltrated data from GitHub-internal repositories only, with no confirmed impact on public or customer-hosted repositories at this stage.

The company stated that a threat actor’s claims of accessing approximately 3,800 repositories are “directionally consistent” with their findings so far.

A notorious threat actor operating under the alias TeamPCP has claimed responsibility for the breach, alleging the exfiltration of proprietary organization data and source code.

The group is reportedly offering the stolen dataset for sale on underground cybercrime forums, demanding offers exceeding $50,000. Their own claims cite roughly 4,000 private repositories tied directly to GitHub’s main platform.

GitHub moved quickly to reduce further exposure following initial detection. Key containment actions included:

• Rotating critical secrets and credentials overnight, prioritizing highest-impact credentials first
• Isolating the compromised employee endpoint
• Removing the malicious VS Code extension version from circulation
• Initiating continuous log analysis to detect any follow-on attacker activity

The use of a malicious VS Code extension as an initial access vector highlights a growing threat in developer-targeted supply chain attacks.

Threat actors increasingly target developer tooling, IDE extensions, CI/CD plugins, and package managers to gain footholds inside high-value technology organizations.

A trusted extension turning malicious can bypass traditional security controls and exfiltrate sensitive credentials or tokens silently in the background.

GitHub confirmed it continues to analyze logs, validate secret rotation completeness, and monitor for secondary activity.

The company stated it will take additional remediation actions as warranted by the investigation and has committed to publishing a fuller incident report once the review is complete.

GitHub has not confirmed any customer data exposure at this time.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.