GitHub Investigates Breach After TeamPCP Claims Source Code Theft

By: Harsh Vardhan

|

Updated on: 20-May-2026

9,601 views

Follow Us:

9,601 views

On Tuesday, GitHub confirmed it was investigating a security breach after a hacking group claimed to have accessed its source code. The group, known as TeamPCP, said it had breached GitHub’s internal systems and obtained proprietary organization data and source code. GitHub, owned by Microsoft, hosts source code for a significant portion of global software projects.

Key Highlights

• GitHub is investigating a breach after TeamPCP claimed access to its internal source code.
• TeamPCP offered the alleged dataset, including about 4,000 private repositories, for over $50,000.
• GitHub stated only internal data was likely accessed and no user data was impacted.
• The breach involved a compromised employee device via a malicious Visual Studio Code extension.

Details of the Alleged Breach

TeamPCP posted online that it was selling the alleged dataset for over $50,000. The group claimed the data included about 4,000 private repositories from GitHub’s main platform. According to Dark Web Informer, TeamPCP also published screenshots and a public file list to support its claims. The group stated it would provide samples to serious buyers to prove the authenticity of the data.

GitHub responded on X, stating it was investigating the incident and that only its own internal data was likely accessed. The company said there was no current evidence that user data or customer repositories outside GitHub’s internal systems were affected. GitHub assured users it was monitoring its infrastructure for any further suspicious activity.

The group behind the breach, TeamPCP, is tracked by Google Threat Intelligence Group as UNC6780. TeamPCP is known for financially motivated attacks, particularly those targeting software supply chains and open-source packages. In early 2026, the group was linked to attacks involving the Trivy Vulnerability Scanner, Checkmarx, and LiteLLM.

GitHub’s Response and Ongoing Investigation

GitHub confirmed that an employee device had been compromised through a malicious Microsoft Visual Studio Code extension. The company reported that it removed the malicious extension, isolated the affected device, and began incident response procedures immediately. GitHub stated that the attacker’s claim of approximately 3,800 repositories accessed was consistent with its ongoing investigation.

The company emphasized that it would notify customers through established incident response channels if any impact to customer data was discovered. GitHub also stated it would release a fuller report after completing its investigation.

TeamPCP claimed that if it did not find a buyer for the stolen data, it would release the information online for free. The group stated, "As always, this is not a ransom. We do not care about extorting GitHub, 1 buyer and we shred the data on our end." TeamPCP also posted messages on X, criticizing GitHub’s handling of the incident and communication with users.

This breach raises concerns about potential cybersecurity risks if the source code is exposed. Access to internal repositories could allow malicious actors to identify and exploit vulnerabilities in GitHub’s platform. GitHub continues to monitor its systems and has committed to transparency as the investigation progresses.