On May 20, 2025, GitHub confirmed that an employee had inadvertently caused a breach of roughly 3,800 internal repositories after installing a malicious Visual Studio Code extension. The hacker group TeamPCP claimed responsibility, posting on the Breached forum that they had accessed approximately 4,000 private repositories and were offering the data for at least $50,000 — with the caveat that if no buyer steps forward, the code will be leaked for free.
The Anatomy of the Breach: How a VS Code Extension Opened the Door
GitHub’s cloud platform serves more than 4 million organizations, including 90% of the Fortune 100, and hosts over 420 million code repositories. The company’s internal network naturally contains sensitive source code, proprietary scripts, and configuration files that are never meant to be public. According to GitHub’s official statement, the breach originated when an employee installed a VS Code extension that turned out to be malicious. That extension gave TeamPCP a foothold inside GitHub’s internal environment, from which they exfiltrated code across thousands of repositories.
GitHub has stated that it has not found evidence that customer data stored outside its internal repositories (such as client enterprises, organizations, or private repos) was accessed. However, the company is closely monitoring its infrastructure for follow-on activity. All affected customers will be notified through standard incident response channels if any impact is discovered. The incident underscores the fact that even a single unvetted developer tool can compromise an organization’s entire internal codebase.
The Scale of the Data at Risk
TeamPCP claimed to have accessed approximately 4,000 repositories of private code. GitHub’s own investigation narrowed that figure to 3,800. While the company has not disclosed the exact contents of those repositories, the hacker group stated that the data includes “GitHub’s source code and internal orgs.” This type of exposure could reveal authentication tokens, internal API keys, build scripts, and architectural blueprints — information that could be leveraged in further supply chain attacks.
Why a Malicious Extension Slipped Through: The Security Gap
The github internal repos breach was not the result of a sophisticated zero-day exploit. It started with something as mundane as a developer installing a tool from the VS Code marketplace. Extensions in modern IDEs often request broad permissions: file system access, network access, the ability to read and write code. A malicious extension can blend in perfectly with legitimate ones, especially when the developer is in a hurry or trusts the marketplace’s basic vetting.
GitHub’s security controls — known to be robust for customer-facing infrastructure — were apparently insufficient to detect the malicious activity inside its own internal repos. This highlights a critical blind spot: internal networks are often protected by perimeter defenses, but once an insider (or a tool acting on an insider’s behalf) gains access, lateral movement can go unnoticed until it’s too late. The incident also demonstrates that platform companies themselves are not immune to the same supply chain risks they warn their users about.
TeamPCP’s Track Record: A History of Supply Chain Attacks
TeamPCP is not a new player in the cybercrime ecosystem. The group has been linked to previous supply chain attacks targeting PyPI, NPM, Docker, and GitHub itself. In March 2025, they compromised Aqua Security’s Trivy vulnerability scanner, leading to cascading infections that affected Docker images and the Checkmarx KICS project. That breach also spilled into the LiteLLM open-source Python library, ultimately infecting tens of thousands of devices with their “TeamPCP Cloud Stealer” malware.
More recently, the gang was tied to the “Mini Shai-Hulud” supply-chain campaign, which impacted devices belonging to two OpenAI employees. They also threatened to leak Mistral AI source code stolen using compromised CI/CD credentials. This pattern shows a clear methodology: target developer tools and platforms, extract sensitive code, and then monetize by selling or leaking it. The github internal repos breach fits perfectly into this playbook.
What TeamPCP’s Monetization Strategy Means for the Industry
Unlike ransomware groups that demand payment to restore access, TeamPCP explicitly stated they are not interested in extorting GitHub. Their forum post read: “As always this is not a ransom. We do not care about extorting Github … if no buyer is found we will leak it free.” This approach shifts the financial incentive from holding data hostage to selling exclusive access — or simply causing reputational and operational damage by publishing the data.
This strategy puts pressure on potential buyers to act quickly, but it also raises the stakes for organizations that rely on GitHub: if no one pays the $50,000 minimum, the code will be made public, potentially exposing proprietary algorithms, internal security configurations, and integration secrets. For GitHub’s customers, even if their own repos were not directly breached, the leakage of GitHub’s internal code could reveal vulnerabilities in the platform itself that could be exploited later.
Practical Steps for Developers and Security Leads After the Breach
If you are a developer, a security lead, or a CISO, the github internal repos breach should serve as a wake‑up call. Below are concrete actions you can take immediately.
How to Check if Your Organization’s Repositories Were Exposed
GitHub has stated that they will directly notify any affected customers. However, you can take proactive steps: review your organization’s audit logs for unusual access patterns from internal GitHub accounts between May 15 and May 20. Look for large data exports or unexpected API calls. If you have any repositories that contain sensitive code that is rarely accessed, check for anomalous clones or pulls.
You should also verify that your organization does not store credentials, API keys, or secrets in repository files — even in internal repos. Use secret scanning tools like GitHub’s own secret scanning or third‑party solutions. If you find any exposed credentials, rotate them immediately.
You may also enjoy reading: FortiSandbox & FortiAuthenticator RCE Flaws: Fortinet Warns.
How to Verify That Your VS Code Extensions Are Safe
Start by auditing every extension installed in your development environment. Remove any that are no longer needed. For extensions that remain, check their publisher identity, the number of downloads, and recent update history. Malicious extensions often mimic popular ones with similar names but different publishers. Avoid extensions that request broad permissions without clear justification.
Consider using an extension allowlist at the organizational level. Tools like Open VSX or marketplace curators can help, but the safest approach is to restrict the installation of extensions to those that have been vetted by your security team. For individual developers, the rule is simple: if you don’t absolutely need an extension, don’t install it.
How GitHub Protects Customer Data Even When Internal Repos Are Breached
GitHub’s architecture separates customer‑owned repositories from its internal systems. According to their incident response update, customer data stored in external repositories (enterprise organizations, private repos, etc.) is not stored in the same environments as GitHub’s internal code. This is a common practice among cloud platform providers: they maintain strict logical and physical separation between client workloads and their own operational infrastructure.
However, a breach of internal repos can still have indirect effects. For example, if GitHub’s internal CI/CD configurations or deployment scripts were exposed, an attacker could learn how GitHub rolls out updates to customer‑facing services. That knowledge could be used to craft future attacks. GitHub has stated they are monitoring for such follow‑on activity, but customers should also remain vigilant for suspicious behavior in their own accounts.
Long‑Term Lessons for Enterprise Security Teams
The github internal repos breach is a textbook case of a supply chain attack through extension abuse. It reinforces several best practices that many organizations still neglect:
- Treat developer tools as high‑risk software. VS Code extensions, npm packages, and Docker images should be subject to the same vetting as any external application. Implement a review process before allowing new tools into your environment.
- Enforce the principle of least privilege for internal systems. Even employees should only have access to the code and systems they need for their roles. The employee who installed the malicious extension likely had broad access to internal repos — that access should have been more tightly constrained.
- Monitor for anomalous behavior in internal networks. Use endpoint detection and response (EDR) tools to watch for unusual file access, large data transfers, or the execution of untrusted scripts. The breach may have been preventable if the extension’s behavior had been flagged earlier.
- Prepare for data leakage even if no ransom is paid. In TeamPCP’s model, leaking is the default outcome if no buyer appears. Incident response plans should include steps for handling the public release of internal code — such as rotating secrets, assessing IP exposure, and preparing communications with stakeholders.
For the startup founder who stores proprietary code on GitHub, the immediate concern is whether their repos could have been indirectly exposed. While GitHub says customer data is segregated, the fact that internal repos were breached means that any code that was shared with GitHub employees (e.g., during support or onboarding) might have been at risk. It is wise to assume that any data you shared with GitHub’s internal teams should be reviewed and, if sensitive, rotated or replaced.
For the penetration tester who studies the incident, the breach offers a real‑world case study in how a single extension can cascade into a full internal compromise. The attacker did not need to break through a firewall or exploit a zero‑day; they simply relied on a developer’s trust in a marketplace. The lesson is that human behavior — not just technology — is the weakest link in any security chain.
As the investigation continues, GitHub will likely release more details about the specific extension involved and the exact data exfiltrated. In the meantime, the entire developer ecosystem should take this opportunity to tighten controls around third‑party tools. The github internal repos breach may turn out to be a relatively contained incident, but it serves as a vivid reminder that no organization — not even the one that hosts half the world’s code — can afford to be complacent about the tools its own employees use.
