On 20th May (local time), Microsoft-owned code hosting platform GitHub confirmed that it is investigating unauthorised access to its internal repositories after a hacking group known as TeamPCP claimed that it had stolen source code and internal organisation data from the platform. The group has reportedly put the allegedly stolen data on sale on a cybercrime forum for over $50,000.
If any impact is discovered, we will notify customers via established incident response and notification channels.
— GitHub (@github) May 19, 2026
In a statement, GitHub stated that it has no evidence so far that customer information stored outside its internal repositories has been affected. This means that customer enterprises, organisations and repositories are not believed to have been accessed at this stage. However, the company added that it is closely monitoring its systems for any further suspicious activity.
1/ We are sharing additional details regarding our investigation into unauthorized access to GitHub's internal repositories.
— GitHub (@github) May 20, 2026
Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version,…
How the breach happened
According to GitHub, it detected and contained a compromised employee device. The company said the device was infected through a poisoned Microsoft Visual Studio Code extension. Such extensions are commonly used by developers to add features to their coding software. However, in this case, one malicious version appeared to have been used to gain access to its systems.
3/ We moved quickly to reduce risk. Critical secrets were rotated yesterday and overnight with the highest-impact credentials prioritized first.
— GitHub (@github) May 20, 2026
After the company detected the compromise, the malicious extension version was removed and the affected device was isolated. The company then began its incident response process. GitHub also replaced important secrets and credentials to reduce the risk of further misuse.
TeamPCP claims data is for sale
The hacker group TeamPCP has claimed that it accessed around 4,000 private repositories linked to GitHub’s main platform. The company later stated that the hacker’s claim of nearly 3,800 repositories was “directionally consistent” with its own investigation so far.
The group reportedly said that the stolen data was not part of a ransom demand and that it would sell it to one buyer or leak it for free if no buyer is found. It has also claimed that it can provide samples to serious buyers to prove authenticity.
Why the incident matters
GitHub hosts the source code for a large part of the world’s software ecosystem. If internal source code falls into the hands of hackers, they may try to study it to find weaknesses that can be misused later.
5/ We will publish a fuller report once the investigation is complete.
— GitHub (@github) May 20, 2026
TeamPCP has also been linked to attacks targeting open-source software packages. GitHub said it will notify customers through its official channels if any impact is found. The company has also said that it will publish a fuller incident report once its investigation is complete.

