GitHub is investigating unauthorized access to its internal repositories following the compromise of an employee's device, the company announced Wednesday. The developer platform detected and contained the compromise on Tuesday, which involved a poisoned VS Code extension that was used to gain access. While GitHub currently has no evidence of impact to customer information stored outside of its internal repositories, the company is closely monitoring its infrastructure for follow-on activity.
GitHub is the primary platform for developers worldwide, many of whom host their open source projects and repositories on its servers. The incident highlights vulnerabilities in the developer tools supply chain that attackers exploit for credential harvesting and unauthorized access.
Incident Response and Technical Details
GitHub removed the malicious extension version, isolated the affected endpoint, and began incident response procedures immediately upon detection. The company stated it is investigating the full scope of the unauthorized access to determine what internal repositories were affected.
TeamPCP Claims Responsibility
A hacking group called TeamPCP has claimed responsibility for the compromise on underground hacker forums, according to Hackmanac. The group has attempted to sell GitHub data online, claiming to have "4,000 repos of private code" related to GitHub's main platform and internal organizations.
TeamPCP is described as a sophisticated, automation-heavy hacking group that turns compromised developer tools into credential-harvesting machines for financial gain, according to Security Week.
Security Guidance
Binance founder Changpeng Zhao advised developers to review their security practices: "If you have API keys in your code, even private repos, now is the time to double-check and change them."
Related Incidents in Developer Security
The GitHub incident occurred the same day that Grafana Labs, an open-source data observability company, disclosed it was hit by a supply-chain attack. Malicious actors accessed Grafana's GitHub repositories and downloaded its codebase. The attackers issued a ransom demand under threat of data disclosure, which Grafana did not meet.
This incident follows the April 28 public disclosure of a critical remote code execution vulnerability, CVE-2026-3854, that allowed authenticated users to execute arbitrary commands on GitHub's servers. Wiz Research, which discovered the critical flaw, reported that millions of public and private repositories belonging to other users and organizations were accessible on the affected nodes.
