GitHub Confirms Breach of 3,800 Internal Repositories

GitHub announced Tuesday, May 20, 2026, that a threat-actor group known as TeamPCP exfiltrated thousands of internal code repositories ^[1].

The breach highlights a critical vulnerability in developer workflows where a single compromised tool can expose an entire organization's private infrastructure. Because the stolen data includes internal source code, the incident could provide attackers with a roadmap to identify further vulnerabilities within GitHub's own systems.

According to the company, the incident began when an employee unknowingly installed a poisoned Visual Studio Code extension on their device ^[2]. This malicious tool allowed TeamPCP to compromise the device and gain unauthorized access to the company's private source code ^[3].

Reports indicate that 3,800 internal repositories were breached ^[1]. While some sources suggest the number was roughly 4,000 ^[4], the more specific figure of 3,800 is cited by other reports ^[1].

TeamPCP is now offering the stolen archive for sale, demanding $50,000 for the data ^[1]. The group is leveraging the sensitive nature of the internal repositories to pressure the company for payment.

GitHub is currently investigating the full scope of the exfiltration. A GitHub spokesperson said, "While we currently have no evidence of impact to customer information stored outside of GitHub's internal repositories (such as our customers' enterprises,"” indicating that external client data remains secure for now ^[5].

This attack follows a growing trend of "supply chain" compromises targeting the tools developers use daily. By poisoning a popular extension marketplace, attackers can bypass traditional perimeter security and land directly on a trusted employee's workstation ^[3].