GitHub Reports Breach of 3,800 Repositories by TeamPCP
GitHub announced a breach in which a poisoned VSCode extension allowed TeamPCP to access internal code repositories. The incident is the latest in a series of supply chain attacks attributed to the group.
WiredGitHub announced Tuesday night that it had detected a breach after a developer installed a poisoned VSCode extension. The attackers accessed approximately 3,800 of the platform's internal repositories, according to GitHub's statement. All compromised repositories contained GitHub's own code rather than customer data.
TeamPCP posted on BreachForums that it was advertising GitHub's source code and internal organizations for sale.
TeamPCP has conducted 20 waves of supply chain attacks in recent months, according to cybersecurity firm Socket. The group has compromised more than 500 distinct pieces of software and their versions. The attacks follow a recurring cycle in which the group plants malware in developer tools, steals credentials, and then publishes malicious updates to additional tools.
Socket researcher Philipp Burckhardt said the group appears focused on gaining attention through high-profile targets.
Prior victims include AI company Anthropic and data firm Mercor. The group has also used a self-spreading worm called Mini Shai-Hulud that creates repositories containing stolen credentials. TeamPCP has deployed ransomware and data extortion against some targets while offering to sell stolen data to others.
The group has also established partnerships with BreachForums and DragonForce for ransomware-as-a-service operations. Wiz strategic threat intelligence lead Ben Read said each breach creates significant issues for the affected organization. Palo Alto Networks Cortex Cloud manager Nathaniel Quist said organizations should rotate authentication tokens regularly to limit exposure.
Wiz recommends delaying installation of newly published open source updates until they can be reviewed for signs of tampering.
Key Facts
Story Timeline
5 events- Late 2025
TeamPCP began exploiting cloud misconfigurations and Next.js vulnerability.
1 sourceWired - March 2026
TeamPCP expanded targeting of software utilities and began cascading attacks.
1 sourceWired - April 2026
TeamPCP moved to ransomware-as-a-service model with BreachForums and DragonForce.
1 sourceWired - May 19 2026
TeamPCP compromised VSCode extension leading to GitHub breach.
1 sourceWired - May 20 2026
GitHub announced breach of 3,800 internal repositories.
1 sourceWired
Potential Impact
- 01
Organizations using compromised open source tools may face credential theft or malware infection.
- 02
Security teams may increase monitoring of developer tool updates and credential rotation.
- 03
Companies may delay adoption of new open source updates to reduce supply chain risk.
Transparency Panel
Related Stories
straitstimes.comJournalists in Gaza to Receive 2026 Golden Pen of Freedom Award
Three international news agencies will accept the award on behalf of their local staff still reporting from the territory. The World Association of News Publishers cited the journalists' continued coverage under extreme conditions.
upi.comSupreme Court Revives Havana Docks Lawsuit Over Confiscated Cuban Property
The U.S. Supreme Court sent a Helms-Burton Act case back to lower courts for further argument. The suit seeks damages from cruise lines that used docks seized by Cuba in 1959.
France 24Pakistan Population Growth Outpaces Infrastructure as Male Contraception Stays Taboo
Pakistan's population exceeds 258 million and could reach 300 million by 2030. Contraception remains largely taboo in a society shaped by traditional values. The country continues to lag behind neighbors India and Bangladesh in key social sectors.