GitHub Hacked – Internal Source Code Repositories Compromised via Employee Device

HomeCyber Attack News GitHub Hacked – Internal Source Code Repositories Compromised via Employee Device By Guru Baran May 20, 2026 GitHub has confirmed unauthorized access to its internal repositories after detecting a compromised employee device infected through a malicious Visual Studio Code extension, the company disclosed in a series of official statements on May 20, 2026. The Microsoft-owned code hosting platform said it identified and contained the breach after a poisoned VS Code extension was used to compromise an employee’s endpoint. 1/ WE ARE SHARING ADDITIONAL DETAILS REGARDING OUR INVESTIGATION INTO UNAUTHORIZED ACCESS TO GITHUB'S INTERNAL REPOSITORIES. YESTERDAY WE DETECTED AND CONTAINED A COMPROMISE OF AN EMPLOYEE DEVICE INVOLVING A POISONED VS CODE EXTENSION. WE REMOVED THE MALICIOUS EXTENSION VERSION,… — GitHub (@github) May 20, 2026 GitHub immediately removed the malicious extension version, isolated the affected device, and activated its incident response procedures. GitHub’s investigation indicates the attacker successfully exfiltrated data from GitHub-internal repositories only, with no confirmed impact on public or customer-hosted repositories at this stage. The company stated that a threat actor’s claims of accessing approximately 3,800 repositories are “directionally consistent” with their findings so far. 2/ OUR CURRENT ASSESSMENT IS THAT THE ACTIVITY INVOLVED EXFILTRATION OF GITHUB-INTERNAL REPOSITORIES ONLY. THE ATTACKER’S CURRENT CLAIMS OF ~3,800 REPOSITORIES ARE DIRECTIONALLY CONSISTENT WITH OUR INVESTIGATION SO FAR. — GitHub (@github) May 20, 2026 A notorious threat actor operating under the alias TeamPCP has claimed responsibility for the breach, alleging the exfiltration of proprietary organization data and source code. The group is reportedly offering the stolen dataset for sale on underground cybercrime forums, demanding offers exceeding $50,000. Their own claims cite roughly 4,000 private repositories tied directly to GitHub’s main platform. GitHub moved quickly to reduce further exposure following initial detection. Key containment actions included: Rotating critical secrets and credentials overnight, prioritizing highest-impact credentials first Isolating the compromised employee endpoint Removing the malicious VS Code extension version from circulation Initiating continuous log analysis to detect any follow-on attacker activity The use of a malicious VS Code extension as an initial access vector highlights a growing threat in developer-targeted supply chain attacks. Threat actors increasingly target developer tooling, IDE extensions, CI/CD plugins, and package managers to gain footholds inside high-value technology organizations. A trusted extension turning malicious can bypass traditional security controls and exfiltrate sensitive credentials or tokens silently in the background. GitHub confirmed it continues to analyze logs, validate secret rotation completeness, and monitor for secondary activity. 4/ WE CONTINUE TO ANALYZE LOGS, VALIDATE SECRET ROTATION, AND MONITOR FOR ANY FOLLOW-ON ACTIVITY. WE WILL TAKE ADDITIONAL ACTION AS THE INVESTIGATION WARRANTS. — GitHub (@github) May 20, 2026 The company stated it will take additional remediation actions as warranted by the investigation and has committed to publishing a fuller incident report once the review is complete. GitHub has not confirmed any customer data exposure at this time. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Hackers Compromise @antv Packages in Mini Shai-Hulud npm Attack Wave ShinyHunters Claims Credit for Cyber-Attack on Online Learning Management System Windows BitLocker 0-Day Vulnerability Enables Access to Encrypted Drives Multiple cPanel Vulnerabilities Allows Access to Sensitive System Resources Hackers Compromise 170 npm Packages to Steal GitHub, npm, AWS, and Kubernetes Secrets Latest News Cyber Security News ShinyHunters Claims Credit for Cyber-Attack on Online Learning Management System Cyber Security GitHub Source Code Breach – TeamPCP Claims Access to Internal Source Code Cyber Security News UAC-0184 Malware Chain Uses bitsadmin and HTA Files for Gated Payload Delivery Cyber Security News macOS Malware Installs Fake Google Software Update LaunchAgent for Persistence Cyber Security News The Gentlemen Ransomware Attacks Windows, Linux, NAS, BSD, and ESXi Attacks