GitHub says there is currently no evidence that customer repositories or external enterprise data were compromised.
Earlier today, hackers gained access to GitHub’s internal repositories by exploiting an employee’s computer with the use of a tainted VS Code extension.
Following the incident, reports emerged that a threat actor using the alias TeamPCP was now allegedly selling what they claim is roughly 4,000 of GitHub’s private repositories on a cybercriminal forum, with a minimum asking price of $50,000.
What GitHub Says Happened
GitHub confirmed the breach through several tweets posted on its X account, where it detailed what it knew thus far. As per the hosting platform, the attacker gained access to its internal repository via a malicious extension of VS Code loaded onto one of the devices of its employees.
GitHub claims that once it realized there was an attack, it promptly deleted the malicious software from the infected machine. Critically, it pointed out that there is currently no evidence that customer data held outside its internal systems, meaning individual users’ enterprises, organizations, or repositories, was accessed.
The hosting service also confirmed it moved quickly to rotate credentials, moving the highest-impact secrets first. It will also be examining logs to see whether there has been any additional activity, and it will be providing more details on the matter after the investigation concludes.
Meanwhile, French researcher Sébastien Latombe flagged a listing on a criminal message board by a threat actor calling themselves “TeamPCP,” claiming to be the one behind the hack, containing mentions of repositories related to GitHub Actions, GitHub Enterprise, GitHub Copilot, Azure, CodeQL, billing, and authentication services.
Allegedly, they are not looking to ransom GitHub but want a single buyer for the stolen data, with the minimum asking price being $50,000.
You may also like:
However, it must be noted that there has been no official confirmation of the content in the forum listing from GitHub or Microsoft, and any claims made in such cybercriminal sites may be taken with a pinch of salt, as any data they provide in such cases may be out of date or overblown to inflate its perceived value.
Security Concerns Spread Through Crypto
The reaction online to the breach was swift, with Binance co-founder Changpeng Zhao (CZ) posting a direct message to crypto developers:
“If you have API keys in your code, even private repos, now is the time to double check and change them.”
The replies painted a familiar picture of an industry-wide problem. Topaz DEX founder Aaron Shames called it “bad practice to have API keys in any repo, private or not,” though he acknowledged the heads-up.
Others pointed out that for builders managing hundreds of keys across projects, this is not a simple fix.
“This entire practice of key storage needs an update,” wrote digital artist Tuteth_.
Security commentator Dhanush Nehru went further:
“No one knows what all permissions each VS Code extension owns. The cybersecurity threat landscape is scary.”
The timing of this incident also contributed to pre-existing worries about crypto security following multiple high-profile hacks this month, which included an attack on Echo Protocol, where hackers managed to mint $76.7 million worth of eBTC.
That particular incident came just days after two other multimillion-dollar attacks were carried out on THORChain and the Verus-Ethereum Bridge.
This spate of events has led to renewed debates on the issues of code verification and software supply chain vulnerabilities, where Vitalik Buterin asserts that with the help of AI, formal verification can make software safer by mathematically proving its behavior.
