GitHub Investigates Unauthorized Access After Employee Device Compromise
Quick Look
- GitHub is investigating unauthorized access to its internal repositories following a compromise of an employee's device via a poisoned VS Code extension.
- A hacking group, TeamPCP, claims responsibility and is reportedly selling the data online.
AI-generated summary
Why It Matters
GitHub is a major platform for developers to host their projects. This incident follows a recent critical vulnerability disclosure and a similar supply-chain attack on Grafana Labs.
GitHub said on Wednesday it is investigating unauthorized access to its internal repositories following the compromise of an employee's device.
“While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories, we are closely monitoring our infrastructure for follow-on activity,” the developer platform said in a statement.
In a subsequent post, GitHub said it detected and contained a compromise of an employee device involving a poisoned VS Code extension on Tuesday. “We removed the malicious extension version, isolated the endpoint, and began incident response immediately,” it added.
GitHub is the go-to platform for developers, many of whom host their open source projects and repositories on its servers.
TeamPCP claims responsibility
Meanwhile, a hacking group called TeamPCP has reportedly claimed responsibility for the compromise and has attempted to sell the GitHub data online, claiming to have “4,000 repos of private code” related to GitHub’s main platform and internal organizations.
TeamPCP is a sophisticated, automation-heavy hacking group that turns compromised developer tools into credential-harvesting machines for financial gain, SecurityWeek reported.
TeamPCP claims responsibility on underground hacker forums. Source: Hackmanac
“If you have API keys in your code, even private repos, now is the time to double-check and change them,” Binance founder Changpeng Zhao said.
Related: Hackers used AI to craft zero-day attack to bypass 2FA: Google
It comes just a day after Grafana Labs, an open-source data observability company, said on Tuesday it was hit by a supply-chain attack in which malicious actors accessed its GitHub repositories and downloaded its codebase.
The attackers issued a ransom demand under threat of data disclosure, which the firm did not meet.
This incident also came shortly after the April 28 public disclosure of a critical remote code execution vulnerability, CVE-2026-3854, that allowed authenticated users to execute arbitrary commands on GitHub’s servers.
Wiz Research, which discovered the critical flaw, reported at the time that millions of public and private repositories belonging to other users and organizations were accessible on the affected nodes.
Open Questions
- What specific data was accessed from GitHub's internal repositories?
- What is the full extent of the compromise by TeamPCP?
- What measures is GitHub taking to prevent future incidents?
- How did the poisoned VS Code extension bypass security measures?
