www.it-connect.fr
GitHub Breach: 3,800 Internal Repositories Stolen After an Employee’s PC Was Hacked
A GitHub employee installed a malicious Visual Studio Code extension on their computer, and the consequences were serious: attackers were able to get their hands on around 3,800 internal code repositories. Here is what we know about this new security incident.
A VS Code extension at the heart of the compromise
In an official statement on the social network X, GitHub spoke out about a security incident: "We are investigating unauthorized access to GitHub internal repositories. Yesterday, we detected and contained the compromise of an employee device involving a malicious VS Code extension."
As soon as the threat was detected, security teams stepped in to try to limit the scope of the incident. Initial remediation actions were also carried out: "We removed the malicious version of the extension, isolated the endpoint and initiated incident response immediately.", GitHub wrote on X. In addition, GitHub teams rotated the most critical secrets.
Although the investigation is still ongoing, this cyberattack appears to have allowed the criminals to steal data from internal repositories. Around 3,800 repositories are believed to be affected, which is far from insignificant.
While GitHub has not yet attributed the incident to a specific group, it may be another move by the TeamPCP hacking group. Indeed, on Tuesday, May 19, 2026, TeamPCP posted a message claiming the theft of around 4,000 private repositories belonging to GitHub.
For its part, GitHub indirectly confirmed these claims: "Our current assessment is that the activity involved exfiltration of GitHub internal repositories only. The attacker’s current claims of approximately 3,800 repositories are broadly consistent with our investigation thus far."
The stolen data is now up for sale, and TeamPCP is hoping to make at least $50,000 from it. "If you are interested, send your proposals to the address below. We do not consider offers below 50,000 euros; the highest bid wins.", they said on the Dark Web.
Were customer data impacted?
This is a legitimate concern: many companies and developers hosting their projects on GitHub are wondering whether their data has been affected. Indeed, GitHub hosts many open source projects (with code available publicly), but it also hosts many private repositories.
For now, GitHub is trying to reassure users, but the investigation is still ongoing. Let’s hope there is no bad surprise here. "Although we currently have no evidence of any impact to customer information stored outside of GitHub internal repositories (such as companies, organizations, and our customers' repositories), we are closely monitoring our infrastructure for any follow-on activity.", it said.
We will need to follow GitHub’s communications in the coming days, especially on this X feed. Over the past few weeks, TeamPCP has been chaining supply chain attacks. Among the latest victims is OpenAI as a collateral victim of the Mini Shai-Hulud campaign.
Finally, this article is an opportunity to remind readers that this is not the first time malicious VS Code extensions have been distributed by attackers. Each time, the goal is the same: steal credentials and sensitive data, as is the case here. It remains to be seen which malicious extension was involved in this cyberattack.
