GitHub Investigates Internal Repository Breach After Employee Device Compromise

GitHub is investigating unauthorized access to its internal repositories after an employee device was reportedly compromised through a malicious Visual Studio Code extension. The company said the incident involved the exfiltration of around 3,800 internal repositories, raising fresh concerns about software supply-chain security.

By Laurisa

Junior Author · May 20, 2026

2 min

Key takeaways

GitHub is investigating unauthorized access to its internal repositories after an employee device was reportedly compromised through a malicious Visual Studio Code extension.

The company said the incident involved the exfiltration of around 3,800 internal repositories, raising fresh concerns about software supply-chain security.

In an official statement released on May 20, GitHub said it currently has no evidence suggesting customer information stored outside its internal repositories was affected.

GitHub is investigating unauthorized access to its internal repositories after an employee device was reportedly compromised through a malicious Visual Studio Code extension. The company said the incident involved the exfiltration of around 3,800 internal repositories, raising fresh concerns about software supply-chain security.

In an official statement released on May 20, GitHub said it currently has no evidence suggesting customer information stored outside its internal repositories was affected. However, the company added that it is actively monitoring its systems for any suspicious follow-up activity.

Poisoned VS Code Extension Triggered Security Breach

According to GitHub, the breach was detected on Tuesday after a poisoned Visual Studio Code extension compromised an employee’s device. The company said it quickly removed the malicious extension, isolated the affected endpoint and launched an incident response process to contain the threat.

TeamPCP Claims Responsibility for GitHub Data Theft

A hacking group known as TeamPCP has reportedly claimed responsibility for the incident and allegedly attempted to sell the stolen data online. The group claimed to possess nearly “4,000 repos of private code” connected to GitHub’s main platform and internal systems.

🚨Data Breach Alert ‼️

𝗧𝗲𝗮𝗺𝗣𝗖𝗣 𝗖𝗹𝗮𝗶𝗺𝘀 𝗦𝗮𝗹𝗲 𝗼𝗳 𝗚𝗶𝘁𝗛𝘂𝗯 𝗜𝗻𝘁𝗲𝗿𝗻𝗮𝗹 𝗦𝗼𝘂𝗿𝗰𝗲 𝗖𝗼𝗱𝗲

TeamPCP hacking group claimed the compromise and sale of GitHub internal data, allegedly including around 4,000 private repositories containing source code… pic.twitter.com/6UGl41c7lD
— Hackmanac (@H4ckmanac) May 19, 2026

Cybersecurity researchers have described TeamPCP as a highly organized group that uses automation to turn compromised developer tools into systems for stealing credentials and sensitive data.

Changpeng Zhao Warns Developers to Check API Keys

Binance founder Changpeng Zhao urged developers to review their repositories and rotate sensitive credentials.

“If you have API keys in your code, even private repos, now is the time to double-check and change them,” Zhao said.

Recent Security Threats Add Pressure on GitHub

The incident comes shortly after Grafana Labs disclosed a supply chain attack involving unauthorized access to its GitHub repositories. It also follows the public disclosure of critical vulnerability CVE-2026-3854 in April, which exposed millions of repositories to potential unauthorized access.

How markets are positioning

Live market reaction

🛢️WTI Crude

+3.4% ▲

★Gold

+1.8% ▲

₿Bitcoin

-1.8% ▼

$DXY

+0.6% ▲

Disclaimer

This content is for informational purposes only and does not constitute financial, investment, or legal advice. Cryptocurrency trading involves risk and may result in financial loss.

Exclusive partner offer