TeamPCP breached GitHub’s internal codebase via poisoned VS Code extension

Following TeamPCP’s claim that they’ve breached GitHub’s own private code repositories, the Microsoft-owned company launched an investigation and confirmed the compromise.

“Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only. The attacker’s current claims of ~3,800 repositories are directionally consistent with our investigation so far,” GitHub stated.

The source of the breach

The company previously said that they have no evidence that customer information stored outside of GitHub’s internal repositories was impacted, but as the investigation is still ongoing, this might change.

GitHub’s investigation revealed that the attackers accessed the internal repos after a GitHub employee installed a poisoned Visual Studio (VS) Code extension.

“We removed the malicious extension version, isolated the endpoint, and began incident response immediately,” the company shared.

“Critical secrets were rotated yesterday and overnight with the highest-impact credentials prioritized first. We continue to analyze logs, validate secret rotation, and monitor for any follow-on activity. We will take additional action as the investigation warrants.”

Charlie Eriksen, a security researcher with Aikido Security, noted that VS Code extensions have full access to everything on the developer’s machine, including credentials, cloud keys, and SSH keys.

“The day before the GitHub breach was disclosed, a completely separate extension called Nx Console, 2.2 million installs, was also briefly backdoored. The community caught that one in 11 minutes, which sounds fast until you realise how many machines auto-update in that window,” he told Help Net Security.

“GitHub still hasn’t named the extension used in their breach, and blocking something malicious always depends on it being identified first.”

TeamPCP continues its rampage

TeamPCP (aka UNC6780) is a cybercrime group that specializes in supply chain attacks targeting open-source security utilities and AI middleware.

They have previously compromised Aqua’s Trivy security scanner, CheckMarx’s KICS, the LiteLLM library, the Telnyx SDK, TanStack, MistralAI, and other packages that depended on those.

They achieved some of these compromises by deploying Mini Shai-Hulud, their adapted version of a self-replicating worm first documented in 2025, which largely automates supply chain attacks by stealing CI/CD credentials and using them to publish infected versions of further packages.

The hacking group is ostensibly selling the contents of the stolen GitHub repositories, and said they plan to leak them if a buyer doesn’t materialize.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!