GitHub Breach 2026: How TeamPCP Stole 3,800 Internal Repositories
On May 20, 2026, GitHub — the platform that hosts the world's software — confirmed one of the most consequential breaches in developer infrastructure history. GitHub confirmed a serious security breach that resulted from an employee device being compromised through a malicious VS Code extension, allowing attackers to gain unauthorized access to approximately 3,800 internal repositories.
The attack was deceptively simple, the blast radius was enormous, and the implications are still unfolding. The GitHub breach did not land in isolation — it arrived the same day a new Mini Shai-Hulud wave forged valid cryptographic provenance on 639 malicious npm package versions, one day after attackers compromised a VS Code extension with 2.2 million installs, and the same day Wiz discovered TeamPCP had compromised Microsoft's durabletask Python SDK on PyPI. Five supply chain surfaces failed in 48 hours. This blog breaks down exactly how it happened, what was stolen, and what every developer and security team must do immediately.
How the Attack Worked: One Employee, One Extension
The Poisoned VS Code Extension Entry Point
GitHub's investigation revealed that the attackers accessed the internal repos after a GitHub employee installed a poisoned Visual Studio Code extension. GitHub removed the malicious extension version, isolated the endpoint, and began an aggressive overnight secret rotation.
The extension identified as the attack vector was Nx Console — a tool with over 2.2 million installs. This malicious update harvested login credentials for developer ecosystems, including GitHub, AWS, and Claude Code, before being purged by Microsoft.
This is the defining lesson of this breach: the attack surface was not GitHub's servers — it was a developer's editor. A VS Code extension has access to file systems, environment variables, API tokens, terminal sessions, and clipboard data. Compromise the editor, and you compromise everything the developer touches.
The Self-Propagating Mini Shai-Hulud Worm
Google Threat Intelligence Group formally tracks TeamPCP as UNC6780, a financially motivated threat actor specializing in supply chain attacks targeting open-source security utilities and AI middleware. Trend Micro tracked at least seven confirmed waves spanning Trivy, Checkmarx KICS, LiteLLM, elementary-data, Bitwarden CLI, TanStack, and Mistral AI.
Because the worm propagates using tokens stolen from infected environments, the number of affected packages is expected to grow. Any machine or pipeline that installed an affected version of the package should be treated as fully compromised.
Table: TeamPCP Supply Chain Attack Timeline — 2026
| Date | Target | Method | Impact |
|---|---|---|---|
| March 2026 | Trivy (vulnerability scanner) | Malicious update | European Commission breach |
| May 11 | TanStack router ecosystem | Worm propagation | OpenAI credential theft |
| May 12 | Mistral AI | Token harvesting | AI infrastructure compromise |
| May 19–20 | Nx Console (2.2M installs) | Poisoned extension | GitHub employee compromise |
| May 20 | GitHub internal repos | Employee device access | 3,800 repos exfiltrated |
| May 20 | Microsoft durabletask Python SDK | PyPI compromise | Developer pipeline exposure |
What Was Stolen and Who Is Selling It
The Contents of the Stolen Repositories
According to security researcher Rakesh Krishnan, the leaked repositories are related to GitHub Actions, agentic workflows, Copilot internal projects, CodeQL tools, internal infrastructure, and security tooling.
Source code access at that level is not a data breach — it is an infrastructure intelligence leak. Dark Web Informer reported that TeamPCP's listing appeared on a hacking forum hours before GitHub's initial disclosure, advertising around 4,000 private repositories.
LAPSUS$ and the $95,000 Sale Listing
The LAPSUS$ cybercrime group teamed up with TeamPCP for a joint sale of GitHub repositories for $95,000. "Everything for the main platform is there," read the accompanying statement. "No ransom, we do not care about extorting GitHub. If no buyer is found, we leak for free."
Important: GitHub confirmed no customer data from external enterprises, organizations, or repositories was affected. However, the internal repositories contain infrastructure source code that could be analyzed for future vulnerabilities in GitHub Actions, Copilot, and CodeQL — making this a long-term intelligence risk, not just a one-time data theft.
Table: Breach Response — What GitHub Did and What Still Remains
| Action | Status | Remaining Risk |
|---|---|---|
| Isolated compromised endpoint | Completed | Zero |
| Removed malicious extension | Completed | Zero |
| Rotated high-priority credentials | Completed overnight | Token reuse in pipelines |
| Investigation of repo contents | Ongoing | Unknown scope |
| Customer data impact assessment | No evidence of impact | Ongoing confirmation |
| Attribution to TeamPCP | Unconfirmed by GitHub | Criminal forum claims |
Immediate Actions for Developers and Security Teams
Developer-Level Response
Every developer whose environment may have run Nx Console between May 12–20 should:
- Rotate all tokens immediately — GitHub PATs, AWS keys, Claude Code API keys, and any other credentials accessible from the development environment
- Review VS Code extension inventory — audit all installed extensions and remove any not from verified publishers
- Scan terminal history — check for unusual outbound connections or unexpected process executions during the exposure window
- Revoke and reissue SSH keys — any SSH key stored on the affected machine should be treated as compromised
- Review CI/CD pipeline secrets — any secret accessible from a development pipeline connected to the compromised machine
Enterprise Security Response
Hackers increasingly target open-source projects and coding extensions to breach developers' computers, allowing them to access multiple systems simultaneously.
Organizations must implement VS Code extension allowlisting — permitting only organization-approved extensions with verified publisher signatures. This single control would have blocked the attack vector used in this breach entirely.
Key Takeaways
- VS Code extensions are a Tier-1 attack surface — treat them with the same security scrutiny as third-party software installations
- Rotate all developer credentials immediately if Nx Console was installed between May 12–20, 2026
- Implement extension allowlisting — only organization-approved VS Code extensions should run in corporate development environments
- Treat any pipeline connected to a compromised dev machine as fully compromised — the Mini Shai-Hulud worm propagates using stolen tokens automatically
- Monitor dark web listings for your organization's source code — TeamPCP listed GitHub's repos before GitHub's own disclosure
- SBOM your developer toolchain — developer tools are now supply chain targets requiring the same dependency integrity controls as production software
Conclusion
The GitHub breach of May 2026 is the clearest possible demonstration that developer tooling has become the highest-leverage attack surface in modern cybersecurity. TeamPCP did not need to defeat GitHub's server-side defenses — they needed one developer to install one extension. The stolen repositories represent years of internal infrastructure intelligence. Every organization running developer teams must implement extension allowlisting, credential rotation policies for development environments, and treat developer machine compromise as equivalent to production infrastructure breach. The next wave of supply chain attacks is already in progress.
Frequently Asked Questions
Q: Was customer data on GitHub affected by the breach? A: GitHub confirmed that its current assessment shows no evidence of impact to customer information stored outside of GitHub's internal repositories — including customer enterprises, organizations, and repositories. The breach affected GitHub's own internal code repositories only, though the investigation remains ongoing.
Q: What VS Code extension caused the breach? A: The Nx Console extension — with over 2.2 million installs — was identified by the security community as the compromised extension, though GitHub has not officially confirmed the specific extension name. A malicious version harvested credentials for GitHub, AWS, Claude Code, and other developer ecosystems before Microsoft removed it from the VS Code Marketplace.
Q: Who is TeamPCP and what is their track record? A: TeamPCP (also tracked as UNC6780 by Google Threat Intelligence Group) is a financially motivated threat actor specializing in supply chain attacks against open-source security tools and developer infrastructure. In 2026, they have confirmed compromises at Trivy, Checkmarx, TanStack, Mistral AI, and GitHub, with claimed involvement in the European Commission breach that exfiltrated over 90 gigabytes of sensitive data.
Q: What should developers do immediately if they had Nx Console installed? A: Rotate all credentials accessible from the development environment immediately — GitHub personal access tokens, AWS keys, API keys, SSH keys, and any CI/CD pipeline secrets. Review the VS Code extension inventory, scan for unusual network activity in the exposure window (May 12–20), and treat any connected pipelines as potentially compromised until credential rotation is confirmed complete.
Q: What compliance obligations does this breach trigger? A: Under GDPR Article 33, breaches involving personal data require notification within 72 hours. Under SEC cybersecurity disclosure rules, public companies must assess and disclose material cybersecurity incidents within four business days. The EU Cyber Resilience Act imposes supply chain compromise notification obligations. Organizations whose production pipelines connected to a compromised developer machine may face additional notification requirements depending on the data classification of accessible secrets.
Enjoyed this article?
Subscribe for more cybersecurity insights.