GitHub confirms breach of internal iepositories after hackers put stolen source code up for sale

Microsoft-owned DevOps giant GitHub has confirmed a significant corporate data breach after a notorious threat actor successfully exfiltrated approximately 3,800 internal code repositories and listed the stolen proprietary data for sale on a cybercrime forum for $50,000.

The platform officially acknowledged the security incident on May 20, 2026, revealing that the breach originated from a single employee device that was compromised through a "poisoned" extension within Microsoft’s Visual Studio Code (VS Code) ecosystem.

The entry point: A 14-minute supply chain window

According to threat intelligence reports and developer advisories, the initial access vector was a highly coordinated supply chain attack targeting Nx Console, a verified and immensely popular VS Code extension with over 2.2 million installs used for managing monorepos.

On May 18, 2026, the hacking group managed to hijack the credentials of a legitimate Nx developer and publish a malicious update (version 18.95.0) to the official Visual Studio Marketplace. The open-source community caught the anomaly and pulled the infected package within 18 minutes. However, thousands of workstations, including that of a GitHub engineer, had already downloaded the payload via automatic Windows update.

Once inside the editor, the obfuscated malware executed a massive harvesting operation. It silently scraped the local environment for:

• Active GitHub access tokens (ghp_, gho_, ghs_) and process memory

• Local 1Password vault sessions, AWS IAM metadata, and cloud connection strings

• Kubernetes configurations and NPM registry authorization tokens

3,800 private repositories stolen

Armed with the stolen internal tokens, the threat actors bypassed perimeter controls and cloned roughly 3,800 of GitHub's private corporate repositories. Internal codebases of this nature typically contain core application logic, proprietary architecture designs, staging configurations, and internal pipeline schemas.

The cybercrime gang TeamPCP (also tracked by researchers as UNC6780) quickly claimed credit for the operation on BreachForums. The group posted screenshots of the data structure, explicitly stating that the compromise was a financial play rather than an extortion scheme:

"As always, this is not a ransom. We do not care about extorting GitHub. 1 buyer and we shred the data on our end... if no buyer is found, we leak it for free."

Security researchers later noted that the listing was briefly moved to the Lapsus$ leak site with an increased asking price of $95,000.

Customer ecosystem remains intact

GitHub’s security team detected the anomalous exfiltration on May 19, immediately shifting into an aggressive isolation and remediation posture. Engineers worked overnight to lock down the infected endpoint, purge the malicious extension, and rotate the platform's highest-impact credentials to nullify any persistent lateral movement.

GitHub has strongly emphasized that the blast radius is tightly confined to its own corporate estate. The company confirmed it has found no evidence of unauthorized access to customer-facing cloud infrastructure, user repositories, or enterprise client data stored outside GitHub's internal network.

The new frontier of threat landscapes

The GitHub breach marks the apex of a brutal, weeks-long supply chain rampage by TeamPCP. Throughout May 2026, the group has deployed a self-propagating worm known as "Mini Shai-Hulud" to methodically subvert trusted developer utilities, successfully backdooring platforms like Checkmarx, Bitwarden CLI, and Aqua Security's Trivy scanner.

By exploiting the deep trust developers place in verified extensions and official marketplaces, the campaign underscores a major shift in enterprise vulnerability.

As security engineers lock down traditional network perimeters, threat actors have realized that a single compromised plugin on an engineer's desktop provides a direct, unhindered path to a corporation's most sensitive digital crown jewels.