GitHub is investigating a major cybersecurity incident after the threat group TeamPCP claimed it had breached the company’s internal systems and stolen source code from thousands of repositories.
What happened
According to The Hacker News, attackers gained unauthorized access to internal repositories after compromising an employee's device through a malicious Visual Studio Code extension. Once the incident was detected and contained, the company launched an investigation that showed only GitHub-internal repositories were affected by the breach.
TeamPCP allegedly claimed responsibility for stealing data from around 3,800 repositories and attempted to sell the information on a cybercrime forum for approximately $50,000. These claims are consistent with the company’s ongoing investigation.
GitHub emphasized that there is currently no evidence that customer repositories or user data were affected.
Going deeper
The breach appears to be part of a broader wave of software supply chain attacks targeting developer ecosystems. According to The Record, TeamPCP has been linked to previous compromises involving developer tools such as Trivy and LiteLLM, with downstream victims reportedly including the European Commission.
The GitHub attack relied on a poisoned VS Code extension. Once the employee device was compromised, attackers were allegedly able to move into GitHub’s internal environment and exfiltrate repositories. GitHub said it rotated critical secrets and credentials as part of its incident response process and isolated the affected endpoint immediately after detecting the compromise.
What was said
According to The Hacker News, GitHub, in a public statement, mentioned that their “current assessment is that the activity involved exfiltration of GitHub-internal repositories only.” The company also noted that the attackers’ claims involving roughly 3,800 repositories align with findings uncovered during the investigation.
An X account linked to TeamPCP, xploitrsturtle2, stated, "GitHub knew for hours, they delayed telling you and they won't be honest in the future. What an amazing run, it's been an honor to play around with the cats over the past few months."
The bigger picture
The GitHub breach is another reminder that modern cyberattacks increasingly target the software supply chain rather than end users directly. According to Verizon’s 2025 DBIR, third-party involvement in breaches doubled from 15% to 30% in a single year, while 63% of organizations reported experiencing a supply chain attack within the past two years. The scale is concerning because one compromised developer tool, plugin, or employee device can create downstream risk for thousands of organizations at once.
For healthcare companies and other regulated industries, incidents like this indicate why secure infrastructure matters beyond just email encryption or compliance checkboxes. Platforms such as Paubox operate in environments where trust, data security, and third-party risk management are critical.
See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)
FAQS
What is a software supply chain attack?
A software supply chain attack occurs when cybercriminals compromise trusted software, tools, updates, or third-party services to gain access to downstream users or organizations.
What is a malicious VS Code extension?
A malicious VS Code extension is a compromised or intentionally harmful plugin designed to steal credentials, execute malware, or provide attackers with unauthorized access to systems.
What can organizations do to reduce supply chain risk?
Organizations can reduce risk by vetting third-party software, limiting employee permissions, monitoring developer environments, enforcing multi-factor authentication, and maintaining strong endpoint security.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
Tshedimoso Makhene
