TechTarget and Informa Tech’s Digital Business Combine. TechTarget and Informa TechTarget and Informa Tech’s Digital Business Combine. Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise Newsletter Sign-Up Newsletter Sign-Up Cybersecurity Topics Related Topics Application Security Cybersecurity Careers Cloud Security Cyber Risk Cyberattacks & Data Breaches Cybersecurity Analytics Cybersecurity Operations Data Privacy Endpoint Security ICS/OT Security Identity & Access Mgmt Security Insider Threats IoT Mobile Security Perimeter Physical Security Remote Workforce Threat Intelligence Vulnerabilities & Threats Recent in Cybersecurity Topics Application Security GitHub Confirms Breach, 4K Internal Repos Stolen GitHub Confirms Breach, 4K Internal Repos Stolen by Alexander Culafi May 20, 2026 3 Min Read Cybersecurity Operations Interpol's 'Operation Ramz' Pioneers Cross-Region Collabs in Middle East Interpol's 'Operation Ramz' Pioneers Cross-Region Collabs in Middle East by Robert Lemos May 20, 2026 4 Min Read World Related Topics DR Global Middle East & Africa Asia Pacific Latin America See All The Edge DR Technology Events Related Topics Upcoming Events Podcasts Webinars SEE ALL Resources Related Topics Resource Library Newsletters Podcasts Reports Videos Webinars White Papers Partner Perspectives Dark Reading Resource Library Application Security Data Privacy Cyberattacks & Data Breaches Vulnerabilities & Threats News GitHub Confirms Breach, 4K Internal Repos Stolen Open source software giant GitHub confirmed a data breach this week involving the theft of thousands of repos. One threat actor — TeamPCP — took credit. Alexander Culafi , Senior News Writer , Dark Reading May 20, 2026 3 Min Read Source: Sundry Photography via Alamy Stock Photo GitHub confirmed today it was breached via an attacker that stole thousands of internal repositories. TeamPCP , a financially motivated threat actor that has relentlessly targeted the open source ecosystem, yesterday published a post to a prominent Dark Web data breach forum that it would sell internal source code and organization data stolen from GitHub . This totaled "~4,000 repos of private code," according to the advertisement, and was for sale to an interested buyer. "As always this is not a ransom. We do not care about extorting GitHub, 1 buyer and we shred the data on our end, it looks like our retirement is soon so if no buyer is found we will leak it free," the post read. However, GitHub today partially confirmed the advertisement's claims in a series of posts on the official company account on X. According to the Microsoft-owned company, GitHub yesterday detected and contained the compromise of an employee device, which involved a poisoned VS Code extension. GitHub said it removed the malicious extension version, isolated the endpoint, and began incident response. Related: 'Claw Chain' Vulnerabilities Threaten OpenClaw Deployments "Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only. The attacker's current claims of ~3,800 repositories are directionally consistent with our investigation so far," the series of posts read. "We moved quickly to reduce risk. Critical secrets were rotated yesterday and overnight with the highest-impact credentials prioritized first. We continue to analyze logs, validate secret rotation, and monitor for any follow-on activity. We will take additional action as the investigation warrants. We will publish a fuller report once the investigation is complete." TeamPCP has become a force to be reckoned with for developers in recent months. Security experts have pinned the Shai-Hulud self-replicating worm attacks that began last year to TeamPCP, and it has further targeted organizations in credential attacks and more. Most recently, TeamPCP published the source code of Shai-Hulud to GitHub in an effort to spread the worm even further . GitHub Breach Begs: What Happened? The idea that TeamPCP would hit GitHub through a poisoned version of a Visual Studio Code (VS Code) extension (or perhaps a typosquatted application) is well within the threat actor's capabilities, as many of its recent campaigns have involved such threat activity. It is notable that the Microsoft-owned GitHub was compromised through a VS Code extension a year after GitHub committed itself to open source software security and two years after Microsoft committed itself to improved security practices. VS Code, a Microsoft format, isn't necessarily a Microsoft extension. So while breach victims deserve a bit of grace, the threat to the open source ecosystem has been well established for months. Related: Shai-Hulud Worm Clones Spread After Code Release Roy Akerman, head of cloud and identity security for vendor Silverfort, tells Dark Reading that this attack happened because the trust model around developer tooling is "fundamentally broken." "A VS Code extension runs with the same privileges as the editor itself, and once installed it has access to everything the developer can reach," he says. "There's no meaningful verification before that code executes. What makes this breach remarkable isn't the entry point, it's that TeamPCP used GitHub's own infrastructure as the weapon end to end. They leveraged compromised developer tooling and trusted release workflows to distribute malicious code, including the poisoned VS Code extension that reached a GitHub employee's machine." Kayne McGladrey, senior member of the Institute of Electrical and Electronics Engineers (IEEE), echoed the concern about VS Code extensions running with full trust, "which means that they get access to the developer's filesystem, credentials, cloud keys, SSH keys, and environment variables." Related: Attackers Weaponize RubyGems for Data Dead Drops Dark Reading contacted GitHub for additional comment. About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. At Dark Reading, he covers a variety of cybersecurity topics, including the cybercrime ecosystem, open source security, and the intersection between AI and threat actors. In his spare time, Alex hosts the weekly Nintendo podcast, "Talk Nintendo Podcast," and works on personal writing projects, including two previously self-published science fiction novels. He has received numerous awards, including TechTarget's Writer of the Year in 2022 as well as more than 10 Azbee awards for his reporting between 2022 and today. See more from Alexander Culafi Want more Dark Reading stories in your Google search results? Add Us Now More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management Access More Research Webinars AI-Powered Cybersecurity for Resource-Constrained Organizations AI-Powered Credential Security: Intelligence Without Exposure How Security Teams should apply Threat Intelligence into their Defenses Your Guide to Securing AI Adoption in Your Organization What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization? More Webinars Editor's Choice Threat Intelligence From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber by Dark Reading Editorial Team May 6, 2026 31 Min Read Cyber Risk Physical Cargo Theft Gets a Boost From Cybercriminals Physical Cargo Theft Gets a Boost From Cybercriminals by Robert Lemos May 4, 2026 5 Min Read Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. Subscribe RSAC 2026: key news & insights At RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much more Get Your Recap Webinars AI-Powered Cybersecurity for Resource-Constrained Organizations Thurs, June 18, 2026, at 1pm EST AI-Powered Credential Security: Intelligence Without Exposure Wed, June 17, 2026, at 1pm EST How Security Teams should apply Threat Intelligence into their Defenses Thurs, June 11, 2026 at 1pm EST Your Guide to Securing AI Adoption in Your Organization Tues, June 9, 2026 at 1pm EST What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization? Wed, June 3, 2026 at 1pm EST More Webinars Black Hat USA | Mandalay Bay, Las Vegas The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass. GET YOUR PASS Discover More Black Hat Omdia Working With Us About Us Advertise Reprints Join Us Newsletter Sign-Up Follow Us Copyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright r