Microsoft-owned code-sharing giant GitHub confirmed on Wednesday, May 20, 2026, that an unauthorized actor successfully breached its internal systems.
The intrusion, traced back to a compromised employee workstation, resulted in the mass exfiltration of approximately 3,800 to 4,000 GitHub-internal repositories containing private code, infrastructure configurations, and platform blueprints.
The Initial Vector: A Poisoned Marketplace Extension
The cybersecurity incident originated through a sophisticated supply chain attack targeting developer tooling.
An unnamed GitHub employee installed a trojanized extension via the popular Microsoft Visual Studio Code (VS Code) Marketplace.
Cybersecurity experts warn that modern Integrated Development Environment (IDE) extensions operate with extensive system privileges.
Once activated, the malicious extension harvested access tokens, bypassed traditional endpoints, and enabled the threat actor to pivot directly into GitHub’s internal development environment to download compressed source code archives.
Read also: Indian H-1B Workers Face Crisis Amid Tech Layoffs
TeamPCP Demands $95,000 “Retirement Payday”
The prominent cybercrime syndicate TeamPCP claimed responsibility for the cyberattack on a popular underground hacking forum.
The group initially listed the stolen GitHub platform source code for a starting price of $50,000, later updating the post to claim they had received an active bidding offer of $95,000.
Rejecting traditional corporate extortion, TeamPCP explicitly stated that this was not a ransomware attack.
Instead, the hackers positioned the data sale as a final “retirement payday,” threatening to leak the entire 3,800-repository dataset for free to the public if a single private buyer is not secured quickly.
GitHub Containment, Remediation, and Customer Impact
GitHub addressed the breach publicly in a series of detailed statements, acknowledging that the hacker’s claims regarding the volume of stolen data were “directionally consistent” with their internal findings.
The platform’s incident response teams moved rapidly to isolate the compromised endpoint and scrubbed the malicious extension version from the marketplace.
GitHub has initiated an aggressive credential-rotation campaign, modifying its highest-impact administrative passwords and cryptographic keys first.
Crucially, the company emphasized that it has found no evidence of any impact on customer data or private user groups.
External enterprise repositories stored outside of GitHub’s internal networks also remain unaffected.
Note: We are also on WhatsApp, LinkedIn, and YouTube to get the latest news updates. Subscribe to our Channels. WhatsApp– Click Here, YouTube – Click Here, and LinkedIn– Click Here.
About the Author
Sahiba Sharma
Contributing Writer