GitHub investigating cyberattack linked to malicious VS Code extension and leaked internal repositories
Follow UsThreat group TeamPCP reportedly claimed access to nearly 4,000 GitHub internal repositories and demanded at least $50,000 for the stolen data.
GitHub said the breach originated from a compromised employee device infected through a malicious Visual Studio Code extension.
Security researchers linked the incident to a wider software supply chain attack involving infected Python packages.
GitHub has confirmed that it is investigating a security breach incident after a threat group known as TeamPCP allegedly gained access to the company’s internal repositories and later attempted to sell the stolen data on a cybercrime forum. The attackers reportedly claimed to possess nearly 4,000 internal repositories and demanded at least $50,000 for the data.
SurveyAccording to GitHub, the breach appears to have originated from a compromised employee device that was infected with a malicious Microsoft Visual Studio Code extension. The company stated that it quickly contained the incident, rotated sensitive credentials, and will continue to monitor for any further suspicious activity. GitHub also stated that it currently has no evidence that customer repositories or enterprise data stored outside of its internal systems were impacted.
The company added that if any customer impact is discovered during the investigation, it will notify users through official incident response channels. GitHub’s internal assessment reportedly agrees with the attackers’ claims about the number of repositories accessed.
Also read: Google I/O 2026: Gemini 3.5 to AI smart glasses, everything that was announced
The incident has also been linked to a bigger software supply chain attack campaign associated with TeamPCP. The security researchers stated the same group recently compromised malicious versions of the “durabletask” Python package, which is used in Microsoft’s Durable Task workflow framework. The infected package versions allegedly contained malware designed to steal credentials, cloud secrets, VPN configurations, SSH keys and password vault data from Linux systems.
According to cybersecurity firms investigating the campaign, the malware can spread automatically across AWS EC2 instances and Kubernetes environments by abusing stolen authentication tokens.Researchers also stated that any systems running the affected package versions should be considered completely compromised.
Multiple reports also suggest that the malicious package may have affected hundreds of thousands of downloads per month because the harmful code was reportedly activated automatically when imported into projects, with no visible signs of infection.
