TeamPCP breaches GitHub, accessing 3,800 internal code repositories

A threat group called TeamPCP gained access to roughly 3,800 of GitHub’s internal code repositories after compromising an employee’s workstation through a poisoned Visual Studio Code extension. The stolen data reportedly includes source code tied to some of GitHub’s most widely used features: Actions, Copilot, and CodeQL.

The attackers are now trying to sell the exfiltrated code on underground forums, advertising a price tag of at least $50,000. If nobody bites, TeamPCP has threatened to leak the data publicly.

What happened and how it unfolded

The attack vector here is deceptively simple. TeamPCP planted a malicious extension inside VS Code, the text editor that has become the default development environment for a staggering share of the world’s programmers. When a GitHub employee installed or interacted with the compromised extension, it gave the attackers a foothold on their workstation.

From there, TeamPCP was able to access internal repositories. Not the public-facing platform where millions of developers store their own projects, but GitHub’s own codebase, the plumbing behind the product itself.

TeamPCP breaches GitHub, accessing 3,800 internal code repositories

Other newsrooms on this story

Related reading

GitHub breached via poisoned VS Code extension, 3,800 repos stolen

GitHub Confirms 3,800 Internal Repos Stolen Through Poisoned VS Code Extension…

GitHub Investigating TeamPCP Claimed Breach of ~4,000 Internal Repositories

Hacker group hits 3,800 internal GitHub repositories via poisoned developer…

GitHub investigates internal repositories breach claimed by TeamPCP

GitHub confirms 3,800 internal repos stolen through poisoned VS Code extension…