TLDR
- GitHub confirmed unauthorized access to around 3,800 internal repositories after an employee’s device was compromised via a poisoned VS Code extension
- Hacking group TeamPCP has claimed responsibility and is trying to sell the stolen data for at least $50,000
- GitHub says customer repositories, enterprises, and organizations are not affected
- Binance founder Changpeng Zhao warned crypto developers to rotate API keys stored in code, even in private repos
- GitHub rotated critical credentials and is continuing to monitor infrastructure for follow-on activity
GitHub is investigating a security breach after unauthorized access was made to its internal repositories. The incident was traced to a poisoned VS Code extension installed on an employee’s device.
1/ We are sharing additional details regarding our investigation into unauthorized access to GitHub's internal repositories.
Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version,β¦
— GitHub (@github) May 20, 2026
The company detected and contained the compromise on Tuesday. It removed the malicious extension, isolated the affected endpoint, and launched an incident response immediately.
Around 3,800 internal repositories were accessed in the breach. GitHub confirmed this figure aligns with claims made by the hacking group that has taken responsibility.
A group called TeamPCP has claimed responsibility for the attack. The group is attempting to sell the stolen data online, claiming to have around 4,000 repositories of private code from GitHub’s main platform and internal organizations.
TeamPCP is described as a sophisticated, automation-heavy group that targets developer tools to harvest credentials for financial gain. They are reportedly asking a minimum of $50,000 for the stolen data.
Customer Data Not Affected
GitHub says its investigation shows no evidence that customer data stored outside its internal repositories was impacted. Customer repositories, enterprises, and organizations are all reported to be safe.
The company has rotated critical credentials, prioritizing the highest-impact ones first. It is continuing to analyze logs and monitor for any further activity.
GitHub plans to publish a full report once its investigation is complete.
Warning Issued to Crypto Developers
Binance founder Changpeng Zhao responded quickly to the news. He urged crypto developers to rotate any API keys stored in code, including in private repositories.
“If you have API keys in your code, even private repos, now is the time to double check and change them,” Zhao said.
Crypto developers rely heavily on GitHub to build and maintain tools. Exchange API keys, wallet credentials, and infrastructure tokens are commonly stored in repositories for use in bots, trading scripts, and blockchain tools.
Security experts are recommending developers scan for hardcoded secrets using tools like GitHub Secret Scanning, gitleaks, or Trivy. They also advise moving away from committing keys directly into code repositories altogether.
This breach follows a separate incident at Grafana Labs, which reported a supply chain attack on Tuesday. Attackers accessed its GitHub repositories and issued a ransom demand, which the firm did not pay.
The GitHub breach also comes shortly after the April 28 disclosure of a critical vulnerability, CVE-2026-3854. That flaw allowed authenticated users to execute arbitrary commands on GitHub servers and exposed millions of public and private repositories.
GitHub says it will continue to monitor its infrastructure and provide updates as the investigation progresses.
