TLDR
- GitHub disclosed a security incident affecting approximately 3,800 internal code repositories following the compromise of an employee’s workstation through a malicious VS Code extension
- The hacking collective TeamPCP has taken credit for the attack and is attempting to monetize the exfiltrated data with a minimum asking price of $50,000
- GitHub maintains that customer-owned repositories, enterprise accounts, and organizational data remain uncompromised
- Changpeng Zhao of Binance issued an urgent advisory for cryptocurrency developers to immediately rotate any API credentials embedded in their codebases, including those in private repositories
- GitHub has rotated sensitive credentials and continues active monitoring for any additional suspicious activity
GitHub is currently responding to a significant security incident following unauthorized access to its private internal code repositories. The breach originated from a compromised Visual Studio Code extension that was installed on a staff member’s computer.
The platform’s security team identified and neutralized the threat on Tuesday. Their immediate response included removing the harmful extension, quarantining the compromised system, and initiating a comprehensive incident response protocol.
The breach resulted in unauthorized access to roughly 3,800 of GitHub’s internal repositories. The company has verified that this number is consistent with the claims made by the threat actors who orchestrated the attack.
The cybercriminal organization operating under the name TeamPCP has publicly claimed responsibility for this intrusion. They are currently marketing the stolen source code on underground forums, alleging possession of approximately 4,000 repositories containing proprietary code from GitHub’s core infrastructure and internal divisions.
Security researchers characterize TeamPCP as a highly sophisticated operation that leverages extensive automation to compromise developer platforms and extract valuable credentials for monetary exploitation. According to reports, the group is demanding no less than $50,000 for the compromised data.
Customer Data Not Affected
GitHub’s forensic analysis indicates that no evidence exists suggesting customer information stored beyond its internal repositories was compromised. All customer-owned repositories, enterprise installations, and organizational accounts remain secure according to the company’s statements.
The organization has already rotated sensitive authentication credentials, focusing first on those with the highest potential security impact. Ongoing log analysis and infrastructure monitoring continue as preventative measures.
GitHub has committed to releasing a comprehensive incident report following the conclusion of its investigation.
Warning Issued to Crypto Developers
Binance founder Changpeng Zhao immediately addressed the situation with an urgent message for cryptocurrency developers. His warning emphasized the critical need to rotate all API keys that may be stored within code repositories, regardless of whether they’re marked as private.
“If you have API keys in your code, even private repos, now is the time to double check and change them,” Zhao said.
The cryptocurrency development community depends extensively on GitHub for building and maintaining their applications. Critical assets such as exchange API credentials, cryptocurrency wallet access tokens, and infrastructure authentication keys are frequently embedded within repositories for deployment in automated trading systems, bots, and blockchain applications.
Cybersecurity professionals are recommending that developers immediately audit their codebases for hardcoded credentials using specialized tools such as GitHub’s native Secret Scanning feature, gitleaks, or Trivy. Additionally, experts strongly advise transitioning away from the practice of directly embedding sensitive keys within version-controlled code repositories.
This security incident follows closely behind another supply chain attack reported by Grafana Labs on Tuesday. In that case, threat actors penetrated the company’s GitHub repositories and issued ransom demands, which Grafana Labs declined to pay.
The GitHub compromise also occurs just weeks after the April 28 disclosure of CVE-2026-3854, a critical security vulnerability. This flaw enabled authenticated users to execute unauthorized commands on GitHub’s server infrastructure, potentially exposing millions of both public and private code repositories.
GitHub states it will maintain continuous surveillance of its systems and provide regular updates throughout the ongoing investigation.
