What happened in the GitHub internal repository breach?

GitHub said attackers gained unauthorised access to around 3,800 internal repositories after compromising an employee device through a malicious Visual Studio Code extension.

Did the GitHub breach affect customer repositories?

GitHub said it currently has no evidence that customer information stored outside its internal repositories was impacted. However, the company said it continues monitoring systems for additional malicious activity.

How did hackers reportedly compromise GitHub?

GitHub said the attack involved a poisoned VS Code extension installed on an employee device. Malicious extensions can give attackers access to credentials, internal systems and sensitive development infrastructure.

Who is TeamPCP and what did they claim?

TeamPCP reportedly claimed responsibility for the attack and attempted to sell what it described as roughly 4,000 private repositories online. Cybersecurity reports describe the group as highly focused on developer infrastructure attacks.

Why are VS Code extensions becoming a security risk?

VS Code extensions can access development environments, repositories and authentication tokens. If attackers compromise or poison extensions, they may gain deep access to developer systems and sensitive codebases.

What did GitHub do after discovering the breach?

GitHub said it removed the malicious extension version, isolated the compromised endpoint and launched an incident response investigation immediately after detecting the intrusion.

Why did Changpeng Zhao warn developers after the breach?

Changpeng Zhao advised developers to rotate API keys stored in repositories as a precaution. Attackers often target repositories because exposed credentials can provide access to production systems and financial infrastructure.

How serious is the risk from stolen repositories?

The severity depends on what data was stored inside the repositories. Private repositories may contain source code, infrastructure configurations, API keys or internal security documentation that attackers could exploit.

Image for illustrative purposes only. Not a real photo.

GitHub probes internal repository breach

Written by Liezl GambePublished May. 20 2026Last Updated May. 20 2026

GitHub said it is investigating unauthorised access to internal repositories after attackers compromised an employee device using a poisoned Visual Studio Code extension.

The company said the incident involved the exfiltration of roughly 3,800 internal repositories, though it added there is currently no evidence that customer information stored outside GitHub’s internal systems was impacted.

“We removed the malicious extension version, isolated the endpoint, and began incident response immediately,”

GitHub said in an update describing the breach containment process.

GitHub said the compromise was detected and contained on Tuesday after security teams identified the malicious VS Code extension tied to the employee device intrusion.

Cybersecurity reports indicated hacking group TeamPCP claimed responsibility for the attack and attempted to sell what it described as roughly 4,000 private repositories linked to GitHub’s platform and internal organisations.

According to Security Week, TeamPCP is known for targeting developer infrastructure and automating credential theft through compromised development tools, while Changpeng Zhao warned developers to rotate API keys stored in repositories as a precaution.

The incident follows a broader series of attacks targeting developer ecosystems after Grafana Labs disclosed a separate GitHub-related supply-chain attack earlier this week involving unauthorised access to its repositories and source code.

The breach also comes shortly after the disclosure of critical GitHub vulnerability CVE-2026-3854, which security researchers at Wiz said could have allowed authenticated users to execute arbitrary commands and potentially access millions of repositories across affected GitHub infrastructure.