GitHub Hack Compromises 3,800 Internal Repositories

GitHub confirmed that a hacking group accessed roughly 3,800 ^[1] internal repositories after an employee installed a malicious software extension.

The breach highlights a critical vulnerability in developer workflows, where a single compromised tool can grant attackers access to vast amounts of proprietary corporate code. Because GitHub is a central hub for global software development, the incident raises concerns about the security of internal environments at major tech firms.

The hacking group, known as TeamPCP, gained unauthorized entry to the Microsoft-owned platform through a poisoned Visual Studio Code extension ^[1], ^[3]. This specific type of attack targets the tools developers use to write code, turning a trusted utility into a gateway for intruders.

GitHub detected the breach on May 19, 2026 ^[4], and publicly disclosed the incident the following day ^[2]. According to reports, the attackers demanded a ransom of $50,000 ^[2] following the theft of the data.

Internal repositories often contain sensitive configuration files, API keys, and proprietary logic that are not intended for public view. The scale of the breach, affecting 3,800 ^[1] separate repositories, suggests the attackers were able to move laterally through GitHub's internal systems once the initial extension was activated.

While GitHub has not detailed the specific contents of the stolen repositories, the use of a poisoned extension is a growing trend in supply chain attacks. These attacks bypass traditional perimeter security by tricking employees into inviting the threat actor directly into the development environment.