GitHub said on Wednesday it is investigating unauthorized access to its internal repositories following the compromise of an employee’s device.
“While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories, we are closely monitoring our infrastructure for follow-on activity,” the developer platform said in a statement.
In a subsequent post, GitHub said it detected and contained a compromise of an employee device involving a poisoned VS Code extension on Tuesday. “We removed the malicious extension version, isolated the endpoint, and began incident response immediately,” it added.
GitHub is the go-to platform for developers, many of whom host their open source projects and repositories on its servers.
TeamPCP claims responsibility
Meanwhile, a hacking group called TeamPCP has reportedly claimed responsibility for the compromise and has attempted to sell the GitHub data online, claiming to have “4,000 repos of private code” related to GitHub’s main platform and internal organizations.
TeamPCP is a sophisticated, automation-heavy hacking group that turns compromised developer tools into credential-harvesting machines for financial gain, SecurityWeek reported.
TeamPCP claims responsibility on underground hacker forums. Source: Hackmanac
“If you have API keys in your code, even private repos, now is the time to double-check and change them,” Binance founder Changpeng Zhao said.
Related: Hackers used AI to craft zero-day attack to bypass 2FA: Google
It comes just a day after Grafana Labs, an open-source data observability company, said on Tuesday it was hit by a supply-chain attack in which malicious actors accessed its GitHub repositories and downloaded its codebase.
The attackers issued a ransom demand under threat of data disclosure, which the firm did not meet.
This incident also came shortly after the April 28 public disclosure of a critical remote code execution vulnerability, CVE-2026-3854, that allowed authenticated users to execute arbitrary commands on GitHub’s servers.
Wiz Research, which discovered the critical flaw, reported at the time that millions of public and private repositories belonging to other users and organizations were accessible on the affected nodes.
Magazine: DeFi’s billion-dollar secret: The insiders responsible for hacks
