Attackers claiming to be TeamPCP allege they breached GitHub through a malicious Visual Studio Code extension, exposing nearly 4,000 private repositories and raising fears of wider open-source supply chain attacks.
A major open-source and software supply chain security scare has emerged after attackers claiming to be TeamPCP alleged they breached GitHub internal systems through a malicious Visual Studio Code extension and stole nearly 4,000 private repositories.
The group reportedly claims the stolen data, allegedly tied to GitHub’s internal operations, is now being offered for sale online for more than $50,000. Security researchers warn the incident could have wider implications for open-source developer tooling, CI/CD environments, repository trust chains, and software supply chain security.
GitHub confirmed attackers gained access after an employee device was compromised through a malicious extension. The company said it removed the extension, isolated the affected device, and launched an emergency investigation. GitHub also acknowledged that claims of access to roughly 3,800 repositories align with current investigative findings.
According to the attackers, the exposed information includes internal GitHub source code, private repositories, backend system information, and organisational files. Researchers warn such internal code exposure could provide attackers with architectural insights and potential security weakness mapping for future attacks.
The group, reportedly tracked by researchers associated with Google Threat Intelligence Group as UNC6780, has allegedly targeted developer tooling and open-source ecosystems previously.
GitHub says it has rotated sensitive credentials, begun monitoring for follow-up attacks, and initiated a full incident response process while developers are being advised to rotate API keys and review repository access permissions.
