GitHub has confirmed that nearly 3,800 internal code repositories were accessed without authorization, following the compromise of an employee’s computer via a malicious VS Code extension. The platform, which is owned by Microsoft, launched an in-depth security investigation immediately after the incident. Security teams swiftly neutralized the detected threat, removed the malicious extension, quarantined the affected system, and activated their incident response protocols.
TeamPCP identified as perpetrators
Authorities have verified that the cyberattack was orchestrated by a hacker group known as TeamPCP. Law enforcement officials and independent researchers note that the group relies heavily on automated intrusion techniques specifically targeting software developers. TeamPCP claims to have gained control over roughly 4,000 repositories containing critical infrastructure code on GitHub’s servers, and has begun offering the stolen data for sale on underground forums with a starting price of at least $50,000.
A statement from GitHub emphasized that customer repositories, enterprise installations, and user accounts were not affected; only internal code repositories within the company’s systems were targeted.
Experts indicate that TeamPCP exploited vulnerabilities in developer environments and automated code deployment pipelines, seeking to obtain valuable session tokens and authentication credentials.
Glossary: A VS Code extension is a small plugin that adds extra features to Microsoft’s popular code editor, Visual Studio Code. Malicious extensions can infiltrate a developer’s system and access sensitive data.
Security measures and response timeline
In the wake of the breach, GitHub rotated potentially compromised access tokens and began conducting a detailed review of system logs. The company reported that its security teams have increased monitoring to detect suspicious activity. A final incident report will be shared with the public once the investigation concludes.
| Incident | Affected Repository Count | Group/Entity Involved | Targeted Data |
|---|---|---|---|
| GitHub breach | 3,800+ | TeamPCP | Internal code, credentials |
| Grafana Labs supply chain | Unknown | Unknown | Infrastructure code, credentials |
Crypto community sounds the alarm
In the aftermath, Binance founder Changpeng Zhao issued a significant warning specifically aimed at developers within the crypto sector. Zhao urged all crypto developers to immediately rotate any API credentials stored in codebases or private repositories.
Developers are strongly advised to review and replace API keys kept in both public and private repositories without delay.
Crypto application developers rely heavily on GitHub’s resources and infrastructure for critical operations. Automated trading systems, wallet access keys, and other secrets are often stored in code repositories. Security professionals caution that embedding sensitive keys directly in source code introduces major risks, and recommend comprehensive scanning using specialized tools such as gitleaks, Trivy, and GitHub Secret Scanning.
Recently, Grafana Labs also faced a supply chain attack, drawing widespread attention across the sector to the vulnerabilities exposed by the GitHub incident. In addition, a significant security flaw disclosed at the end of April (CVE-2026-3854) put millions of public and private repositories at risk.
Major platforms commit to ongoing monitoring
GitHub has pledged to maintain the highest level of vigilance over its infrastructure, promising regular updates to the public until the investigation is complete.
