GitHub Internal Repository Breach: TeamPCP Exfiltrates ~3,800 Private Data via Poisoned VS Code Extension.

Executive Summary :

TeamPCP reportedly used a malicious VS Code extension to compromise a GitHub employee’s device, steal credentials, and exfiltrate data from about ~3,800 internal repositories. The leak appears to involve GitHub’s internal source code and engineering systems, not customer repositories, and the actor allegedly tried to sell the data afterward.

Key Takeaways :

• Threat actor TeamPCP (aka UNC6780) allegedly compromised a GitHub employee workstation using a malicious VS Code extension, enabling theft of credentials and access tokens.
• Attackers reportedly exfiltrated data from approximately 3,800–4,000 internal GitHub repositories, primarily involving internal engineering and platform source code.
• The breach appears to have impacted GitHub’s internal systems only, with no confirmation of compromise to customer-hosted repositories on GitHub.com.

Threat actor Profile :

Name : TeamPCP(aka UNC6780)
Sector: ICT
Data exposure (claimed): Approximately 4,000 private repositories
Data type: Source code
Observed: May 19, 2026

Historical Targeted Attack: PyPI,npm ,LiteLLM ,Trivy ,KICS,Telnyx SDK,TanStack ,MistralAI , CheckMarx’s

Targeted Country : US, Europe, Middle East, South Asia, and Asia‑Pacific

Attack Vector : Supply chain attacks targeting open-source security utilities and AI middleware.

Incident Overview :

• GitHub is being consistently targeted by threat actor groups and campaigns such as Shai-Hulud, TeamPCP, Lazarus, and Bluenoroff because it offers a high-impact path for large-scale supply chain attacks that can cascade downstream and compromise additional packages and dependencies.
• TeamPCP is behind other supply chain attacks, in the past they targeted PyPI packages and NPM repositories, and most recently the “Mini Shai-Hulud” campaign that also caught two OpenAI employees. The pattern is consistent: go after the tools developers trust, poison the supply chain, and let the downstream damage multiply.
• The idea that TeamPCP would hit GitHub through a poisoned version of a Visual Studio Code (VS Code) extension (or perhaps a typosquatted application) is well within the threat actor's capabilities, as many of its recent campaigns have involved such threat activity.

What Was Actually Breached?

GitHub has stated that the intrusion impacted internal repositories associated with core platform components rather than external customer data. Multiple outlets report that the stolen repos included internal projects tied to:

• GitHub Actions
• GitHub Copilot
• Codespaces
• Dependabot
• CodeQL
• Other internal tooling and platform services

Threat actor included a link on Limewire with the alleged directory listing and a screenshot showing logical names of official corporate compressed files (e.g., github-copilot.tar.gz, github-enterprise-server, red-team.tar.gz), the full authenticity of the file contents and the code's validity have not been independently assessed or confirmed.

GitHub Data Leak: Detailed Incident Reconstruction

Simple story of what happened :

1. A bad add‑on was used

• Hackers hide malicious code inside a popular add‑on for a coding tool called Visual Studio Code (Nx Console (nrwl.angular-console, version 18.95.0))
• This add‑on looked normal and useful, so people trusted it and installed it.

2. An employee unknowingly installed it

• A GitHub employee installed this add‑on on their work computer.
• Bcause it was installed by the employee, the add‑on was allowed to run just like any other tool they use.

3. The add‑on quietly searched the computer

• When the employee opened VS Code, the add‑on ran in the background.
• It looked through the computer for saved logins, keys, and other “secret” information used to connect to GitHub and other internal systems.

4. Hackers stole those logins and keys

• The add‑on collected those secrets (like passwords and access tokens) and sent them to the hackers.
• With these, the hackers could pretend to be that employee online.

5. Hackers logged into GitHub as the employee

• Using the stolen secrets, the hackers connected to GitHub just like the employee would.
• They were then able to reach GitHub’s private, internal code projects that the employee was allowed to see.

6. They copied a lot of internal code

• The hackers downloaded thousands of internal GitHub projects and configuration files.
• They organized this stolen code into bundles, ready to move or sell.

7. They sent the stolen data to their own servers

• The bundled data was sent over the internet to computers controlled by the hackers.
• From there, they could store it, analyze it, or share it with others.

8. They tried to sell the stolen code

• The hackers put the internal GitHub code up for sale on cybercrime forums.
• They can also use what they learned to plan more attacks against GitHub or other companies.

Post Breach Analysis :

• Researchers recovered malware from an affected endpoint – a Python backdoor named cat.py (fb5c97557230a27460fdab01fafcfabeaa49590bafd5b6ef30501aa9e0a51142), at the file path /Users/%/.local/share/kitty/cat.py. Initial analysis suggests that this is the same malware observed in the recent @antv supply chain compromise, also attributed to TeamPCP.
•  This is a remote backdoor that downloads and executes arbitrary Python code from attacker-controlled URLs. It uses the GitHub Search API as a covert communication channel, by polling api.github[.]com/search/commits every hour for the keyword ‘firedalazer,’ and employs public GitHub commits to hide commands in plain sight.
• It extracts commands from commit messages, verifies them using a built-in RSA public key, and downloads and executes attacker-provided Python payloads.

 TeamPCP on Breach Forum : TeamPCP selling GitHub ~4000 private repo data on breachforum for $50K.

Contact Details :

• Session: 05a04c7c548c39e903c5913973dd55b6f3d9c1a10d346ca9d49d10b9428095823e
• TOX: BA8D312391E2E379144046841FC97EDF1DD2D400E3AB3B3DAAF08D8569AE2D43AB997A5069F2

TeamPCP had shared github-repos links on LimeWire :

github-repos.txt : https://limewire.com/d/GfED8#rpoQm20zzu

Samples.zip :This zipped folder consists of 2 Ruby files namely:

• organizations_controller.rb:organizations_controller.rb is a Ruby on Rails controller file that typically handles organization-level actions in GitHub’s web app, such as viewing an org, updating org settings, managing members, and handling admin-related workflows.

• pull_requests_controller.rb:pull_requests_controller.rb was a large internal Rails controller that handled GitHub pull-request workflows end to end: viewing PRs, creating them, merging them, commenting, applying suggestions, loading metadata, and routing UI updates.

LAPSUS$ Group jointly Selling TeamPCP GitHub Repositories:

LAPSUS$ Group announces a joint for sale post with TeamPCP for the GitHub internal repositories. TeamPCP launched a for sale post yesterday on a popular cybercrime forum for at least $50,000. 

Session ID : 05cd5cef689eeaf97c5e153cd6e1d4e0659edc4b37c9df850de4485ec67106ea4c

Message From GitHub :There is no evidence of impact to customer

 MITRE TTP :

TTP ID	Name	Description
T1195.002	Supply Chain Compromise: Compromise Software Supply Chain	Initial access through a poisoned VS Code extension installed in a trusted developer environment.
T1204.001	User Execution: Malicious File	The victim user installed and ran the malicious extension in their IDE.
T1078	Valid Accounts	Stolen tokens and sessions were reused to access internal GitHub repositories as an authorized user.
T1552.001	Unsecured Credentials: Credentials in Files	The actor harvested secrets from local configs, cached data, and developer files.
T1552.004	Unsecured Credentials: Private Keys	SSH keys and other private key material may have been exposed from the developer workstation.
T1083	File and Directory Discovery	The payload likely enumerated local files and directories to locate credentials and useful data.
T1005	Data from Local System	Internal source code and repository data were collected from local and authenticated access paths.
T1041	Exfiltration Over C2 Channel	Stolen data was transferred to attacker-controlled infrastructure over network channels.
T1027	Obfuscated Files or Information	Collected code and data were packaged into archives to make analysis and transfer easier.
T1218	System Binary Proxy Execution	Legitimate tools such as curl may have been used to upload stolen data.

IOC (Indicator's Of Compromise)

Domain:

git-service[.]com

MD5:

907a5a883877808218686bc24b7add65

b0e85aaafbd37dcaccc6ee734270ebbe

SHA256:

b0cefb66b953e5184b6adb3035e9e267335ac5eabfe1848e07834777b9397b74 main.js (extension payload)

fb5c97557230a27460fdab01fafcfabeaa49590bafd5b6ef30501aa9e0a51142 cat.py (Python backdoor)

a68dd1e6a6e35ec3771e1f94fe796f55dfe65a2b94560516ff4ac189390dfa1c index.js (orphan-commit payload)

Onion Site

22evxpggnkyrxpluewqsrv5j4jtde6hut2peq3w44d6ase676qlkoead[.]onion

Hardening suggestions:

Team PCP’s breach of GitHub shows how one poisoned IDE extension on one privileged device can lead to massive source‑code exposure.

• Audit all VS Code (and similar) extensions; remove unused ones and only keep vetted, verified publishers.
• Never store long‑lived GitHub tokens or secrets in code or local config; use a secrets manager instead.
• Pin CI/CD workflows to commit SHAs, not tags, and enforce strong MFA on all GitHub accounts.

Conclusion:

TeamPCP’s breach of GitHub is a stark reminder that the modern software supply chain is only as strong as the trust we place in the tools developers use every day. A single compromised extension on one privileged workstation was enough to open the door to thousands of internal repositories, exposing not just source code, but the operational assumptions behind a platform built on trust, access, and automation. For defenders, the lesson is clear: tighten control over developer tooling, minimize long-lived secrets, enforce strong authentication, and treat internal code as a strategic asset. In an ecosystem where one poisoned dependency can ripple across an entire platform, security has to begin at the workstation and extend all the way through the delivery chain.