The world’s largest code-hosting platform just became the latest β€” and most prominent β€” casualty in TeamPCP’s escalating war on developer infrastructure. GitHub confirmed on May 20, 2026, that a threat group it identifies as TeamPCP accessed approximately 3,800 internal repositories after a single employee installed a poisoned Visual Studio Code extension on their work machine. The stolen dataset is now listed for sale on underground forums at a minimum asking price of $50,000.

How a Single Extension Unlocked GitHub’s Codebase

The attack vector is deceptively mundane: a rogue VS Code extension installed by one GitHub employee. GitHub’s security team discovered the malicious extension during routine investigation on May 19 and confirmed its role as the initial access point in a five-post thread published on X on May 20.

Once the extension ran on the employee’s endpoint, it gave attackers a foothold inside Microsoft’s developer platform. From that bridgehead, TeamPCP moved laterally, exfiltrating internal repositories at scale. GitHub’s own forensic assessment places the number of compromised repos at roughly 3,800, a figure it says is β€œdirectionally consistent” with what TeamPCP claims on the Breached cybercrime forum.

GitHub moved quickly once the extension was identified: the malicious version was removed, the affected endpoint isolated, and incident response initiated. β€œCritical secrets were rotated yesterday and overnight with the highest-impact credentials prioritized first,” the company stated.

No customer data is reported to have been accessed. The breach appears confined to GitHub’s own internal codebase.

TeamPCP: A Supply Chain Gang That’s Been Closing In on GitHub

This breach didn’t come out of nowhere. TeamPCP has spent 2026 systematically targeting developer tooling and open-source ecosystems β€” a campaign that, in retrospect, was always heading somewhere like this.

The group first drew sustained attention in February–March 2026 after compromising widely trusted open-source security tools, including Aqua’s Trivy vulnerability scanner and Checkmarx’s KICS static analysis engine. By late March, malicious releases of LiteLLM and the Telnyx SDK had been published to PyPI under the group’s fingerprints.

April brought more: on April 29, four official SAP npm packages were poisoned and published within a three-hour window. Then on May 12 β€” barely a week before the GitHub breach β€” came the largest TeamPCP campaign yet. Dubbed β€œMini Shai-Hulud” by researchers, it compromised TanStack, Mistral AI, UiPath, and over 160 additional npm and PyPI packages, hitting an estimated 1,800 developers. The worm-like malware self-propagated through the npm ecosystem: any packages published from an infected developer machine would themselves be infected.

The Credential Pipeline That Led Here

Unit 42 and Datadog Security Labs researchers have pieced together how TeamPCP’s campaign was always designed to reach this endpoint. The group’s malware contains a specific behaviour: it scans infected developer environments for GitHub tokens, validates them using the GitHub API, and if the token has write access, pushes further payloads to any writable repository it can reach.

The credential harvest isn’t opportunistic β€” it’s the point. API keys, cloud credentials, SSH keys, CI/CD tokens, and registry access tokens are all systematically collected. GitHub tokens are explicitly prioritized in the malware’s targeting logic, according to Datadog’s analysis of the LiteLLM and Telnyx compromise.

With Mini Shai-Hulud having touched 1,800 developers and their environments across PyPI, npm, and PHP in May alone, the pool of potentially harvested GitHub credentials was already substantial by the time someone at GitHub installed the poisoned VS Code extension. Whether the VS Code vector was opportunistic or specifically targeted remains under investigation.

What 3,800 Internal GitHub Repos Means

The contents of those repositories have not been publicly disclosed, and GitHub has said it will not characterize them in detail while the investigation is active. But the implications of an adversary holding roughly 3,800 internal repos from the world’s largest code host are significant.

Internal repositories typically contain proprietary tooling, internal platform code, security-sensitive infrastructure automation, and institutional knowledge accumulated over years of engineering. For a platform that hosts more than 100 million developers and processes an enormous share of global software supply chain activity, compromise of internal source code carries downstream risks that extend well beyond GitHub itself β€” particularly in the hands of a group with a demonstrated willingness and capability to inject malicious code into widely-used packages.

TeamPCP’s decision to sell rather than immediately weaponize the data suggests either that the group is financially motivated or that more technically sophisticated analysis of the stolen repos is ongoing before any second-stage exploitation attempt.

$50,000 on the Breached Forum

TeamPCP posted the claim on the Breached cybercrime forum, asserting access to β€œ~4,000 repos of private code” and setting a minimum asking price of $50,000. The listing appeared before GitHub’s public confirmation, suggesting the group moved quickly to monetize before the company could neutralize the value of the stolen material through credential rotation and code audits.

GitHub’s rotation of credentials limits some of the immediate risk from access token exposure. Whether the source code itself contains exploitable hardcoded secrets, internal API surfaces, or architectural details useful for future attacks remains a question the company’s ongoing investigation will need to answer.

A Pattern the Industry Should Have Seen Coming

Palo Alto Networks’ Unit 42 published an analysis of TeamPCP’s supply chain methodology β€” titled β€œWeaponizing the Protectors” β€” that documented the group’s deliberate targeting of security infrastructure: scanners, linters, SDKs, and developer tools that exist specifically to protect software supply chains. By compromising the tools developers trust most, TeamPCP achieves maximum propagation with minimum suspicion.

The GitHub breach is that strategy reaching its logical conclusion. Developer tooling β€” in this case, a VS Code extension β€” became the insertion point for accessing one of the most strategically valuable internal codebases in the technology industry.

GitHub has not attributed the specific VS Code extension publicly or indicated whether it was available in the official marketplace. The investigation is ongoing.

What Developers Should Do Now

  • Audit installed VS Code extensions β€” particularly any installed recently, from unfamiliar publishers, or with excessive permission requests (filesystem access, network access, shell execution)
  • Rotate GitHub tokens and personal access tokens β€” especially if you were running any npm, PyPI, or PHP packages flagged in the Mini Shai-Hulud campaign
  • Review CI/CD pipeline credentials β€” any token exposed in a compromised developer environment should be considered burned
  • Check your repositories for unauthorized commits or pushes β€” TeamPCP’s worm propagates by pushing to writable repos from infected endpoints
  • Treat security tooling with the same scrutiny as production code β€” Trivy, KICS, and similar tools run with elevated access; compromised versions are high-value attack surfaces

Sources