GitHub Hacked, Internal Repositories Offered for Sale

GitHub Hacked, Internal Repositories Offered for Sale A Single Developer Downloaded a Poisoned VS Code Extension, and Now Look David Perera (@daveperera) • May 20, 2026     Credit Eligible Get Permission Image: Robert Way/Shutterstock GitHub warned late Tuesday that hackers stole roughly 3,800 internal repositories from the Microsoft-owned platform after a developer used a poisoned VS Code script, which is developed by Microsoft. See Also: AI Impersonation Is the New Arms Race-Is Your Workforce Ready? In a Wednesday update, the code repository said it doesn't believe that customer data has been affected. "Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only," it tweeted. A claim on the BreachForums hacking site by the TeamPCP threat actor that it stole about 4,000 repositories is "directionally consistent with our investigation so far," GitHub said. TeamPCP specializes in supply-chain attacks against open-source software. European cyber defenders traced a March incident resulting in 92 gigabytes of data stolen from the European Commission to cloud credentials filched by TeamPCP in a March hack against the Trivy open-source vulnerability scanner. The group has claimed responsibility for a spate of supply-chain attacks targeting JavaScript and Python software repositories through wormable malware known as Shai-Hulud, suggesting the hackers are fans of the "Dune" series of books and movies. The hack was spotted by darkweb researcher Matthew Maynard, who posted late Tuesday that the incident amounts to "one of the more significant alleged platform exposures we’ve seen in a while." The hackers said on BreachForums they would sell the data for a minimum of $50,000. Maynard told ISMG Wednesday that TeamPCP appears to have removed the listing from BreachForums and is now selling the data in cooperation with the Lapsus$ cybercrime gang. The data is listed for sale on the Lapsus$ data leak site for $95,000. GitHub said it removed the poisoned VS Code extension but didn't identify it. One candidate is the Nx Console, a compromised version went live for 18 minutes before being taken down, an Nx coder warned Monday. "Given the timing, many in the security research community believe the Nx Console compromise described in this post is a likely candidate, although this has not been confirmed by GitHub," cybersecurity firm StepSecurity said in an update to Monday analysis about the compromised extension. The attack illustrated "a key trend we’ve been observing recently," said Boris Cipot, principal security engineer at Black Duck. Developer workstations, with their access to repositories containing secrets, credentials and code, are primary hacking targets. "Attackers no longer need sophisticated zero-days. They exploit trust in everyday tools," Cipot said. Some cybersecurity defenders have suggested teams delay automatically merging new code into the continuous integration pipeline, to give defenders time to observe and remove poisoned software packages. The advice can come with tradeoffs, since not every developer clearly separates function updates from security updates (see: Mass Supply-Chain Attack Slams npm and PyPi, Hits Mistral AI).