Skip to content
Tech News
← Back to articles

GitHub Confirms Breach, 4K Internal Repos Stolen

2026-05-20 | original
read original get GitHub Security Badge → more articles
Why This Matters

The GitHub breach highlights the increasing sophistication and risks of cyberattacks targeting software development platforms, potentially exposing sensitive code and organizational data. This incident underscores the importance of robust security measures for both companies and developers to protect critical assets from malicious actors.

Key Takeaways

GitHub confirmed today it was breached via an attacker that stole thousands of internal repositories.

TeamPCP, a financially motivated threat actor that has relentlessly targeted the open source ecosystem, yesterday published a post to a prominent Dark Web data breach forum that it would sell internal source code and organization data stolen from GitHub. This totaled "~4,000 repos of private code," according to the advertisement, and was for sale to an interested buyer.

"As always this is not a ransom. We do not care about extorting GitHub, 1 buyer and we shred the data on our end, it looks like our retirement is soon so if no buyer is found we will leak it free," the post read.

However, GitHub today partially confirmed the advertisement's claims in a series of posts on the official company account on X. According to the Microsoft-owned company, GitHub yesterday detected and contained the compromise of an employee device, which involved a poisoned VS Code extension. GitHub said it removed the malicious extension version, isolated the endpoint, and began incident response.

Related:'Claw Chain' Vulnerabilities Threaten OpenClaw Deployments

"Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only. The attacker's current claims of ~3,800 repositories are directionally consistent with our investigation so far," the series of posts read. "We moved quickly to reduce risk. Critical secrets were rotated yesterday and overnight with the highest-impact credentials prioritized first. We continue to analyze logs, validate secret rotation, and monitor for any follow-on activity. We will take additional action as the investigation warrants. We will publish a fuller report once the investigation is complete."

TeamPCP has become a force to be reckoned with for developers in recent months. Security experts have pinned the Shai-Hulud self-replicating worm attacks that began last year to TeamPCP, and it has further targeted organizations in credential attacks and more. Most recently, TeamPCP published the source code of Shai-Hulud to GitHub in an effort to spread the worm even further.

GitHub Breach Begs: What Happened?

The idea that TeamPCP would hit GitHub through a poisoned version of a Visual Studio Code (VS Code) extension (or perhaps a typosquatted application) is well within the threat actor's capabilities, as many of its recent campaigns have involved such threat activity.

It is notable that the Microsoft-owned GitHub was compromised through a VS Code extension a year after GitHub committed itself to open source software security and two years after Microsoft committed itself to improved security practices. VS Code, a Microsoft format, isn't necessarily a Microsoft extension. So while breach victims deserve a bit of grace, the threat to the open source ecosystem has been well established for months.

... continue reading

Explore topics: github github breach github repositories vscode extension openclaw
Related:
Linus Torvalds admits he has a 'love-hate relationship with AI'
I Gave My OpenClaw Agent a Physical Body
GitHub confirms 3,800 internal repos stolen through poisoned VS Code extension as supply chain worm hits Microsoft’s Python SDK
GitHub confirms breach of 3,800 repos via malicious VSCode extension
GitHub says hackers stole data from thousands of internal repositories

© 2026 GoKawiil

About | Editorial Policy | Contact