A recent security breach involving unauthorized access to GitHub’s internal repositories has triggered significant concern in the software development community. According to a statement released by the platform on May 20, the attack originated from a malicious Visual Studio Code extension installed on an employee’s computer.
Timeline and initial findings
After detecting unauthorized access on May 19, GitHub acted swiftly to remove the compromised extension from its systems and deactivated related access points. The company stated that, at present, there is no direct evidence indicating that user repositories, organizational accounts, or customer data were impacted by the incident.
GitHub continues to assess the scope of the breach and is working to contain its effects. In an official update, the company confirmed that the attack was limited solely to internal repositories, with the attacker successfully accessing approximately 3,800 of them.
GitHub has urgently rotated its most sensitive credentials and access keys and will implement additional security measures as the situation becomes clearer. Current findings suggest that only non-user systems were targeted, and investigations are still ongoing.
As the inquiry proceeds, GitHub has been analyzing system logs and reviewing the effectiveness of credential resets. The company has committed to sharing a comprehensive report once its investigation concludes.
Origins and extent of the threat
The cyberattack has been linked to the well-known threat group UNC6780. According to information from Google Threat Intelligence Group, the culprits operating under the alias “TeamPCP” are notorious for conducting financially motivated supply chain attacks, focusing on infiltrating software development pipelines.
TeamPCP claims to have obtained source code and internal information from nearly 4,000 private GitHub repositories belonging to the company’s core infrastructure. Reports suggest that these stolen materials are being offered for sale at prices exceeding $50,000, with samples potentially being shared as proof.
Google’s Threat Intelligence unit emphasizes that TeamPCP specializes in compromising automated authentication procedures, software delivery chains, and developer tools to gain unauthorized access.
Earlier in 2026, the group exploited a vulnerability in the Trivy Vulnerability Scanner (CVE-2026-33634) in attacks affecting major corporations, including Cisco. They have also been linked to credential phishing campaigns targeting security software firms like LiteLLM and Checkmarx.
Glossary: UNC6780 is a threat group identified in cybersecurity research as responsible for financially driven attacks. Their operations typically target supply chains, developer tools, and automation systems to gain access to sensitive data.
Rising risk for crypto APIs
Binance founder Changpeng Zhao underscored the urgency for both developers and teams to implement immediate security measures, highlighting how this breach could ripple into the cryptocurrency sector. The heavy reliance on API infrastructures exposes organizations to chain-reaction threats.
Storing API keys, automation tokens, and CI/CD credentials inside main code repositories makes companies particularly vulnerable, as a single supply chain flaw can put multiple exchanges, custody solutions, and data services at risk.
| Platform | Primary Function | Potential Risk |
|---|---|---|
| CoinStats API | Portfolio management | User funds at risk if keys are leaked |
| CoinGecko API | Price & market data | False pricing flows, data manipulation |
| Infura | Blockchain node access | Service outages, network exploitation |
Recently, platforms such as CoinGecko API, CoinMarketCap API, Infura, Alchemy, Kaiko, and Bitquery have gained substantial market share. Security experts advise developers to regularly audit the API backends of these tools, given their central role in both transaction monitoring and security.
Specialized platforms in software security stress that using APIs correctly and managing credentials with up-to-date best practices are crucial for sustainable crypto projects. Without such measures, similar attacks could become more common.
