GitHub Confirms TeamPCP Exfiltrated 3,800 Internal Repositories Through One Poisoned VS Code Extension

TeamPCP has breached the internal codebase of GitHub itself — the platform the world's software supply chain is built on — using the same poisoned-IDE-extension vector it has run all month against Trivy, Checkmarx, LiteLLM, TanStack, and Mistral AI. There is no novel exploit here. GitHub is simply the highest-value victim of a playbook that is now mature, repeatable, and pointed at every developer endpoint on earth.

SAN FRANCISCO, CALIFORNIA — On May 20, 2026, GitHub confirmed that a third party gained unauthorized access to its internal source-code repositories after a GitHub employee installed a poisoned Visual Studio Code extension on a work device. GitHub assesses with current confidence that roughly 3,800 GitHub-internal repositories were exfiltrated. The threat actor — TeamPCP, tracked by Google Threat Intelligence Group as UNC6780 — claimed responsibility on the BreachForums cybercrime forum, listing GitHub's source code and internal organizations for sale at $50,000 or more and explicitly framing the listing as a sale rather than an extortion ransom. GitHub says it removed the malicious extension version, isolated the compromised endpoint, and opened incident response, and that it has found no evidence that customer organizations, enterprises, or user repositories were impacted — though the investigation is ongoing. TeamPCP is the same actor behind the Mini Shai-Hulud worm, and has compromised Trivy, Checkmarx KICS, LiteLLM, the Telnyx SDK, SailPoint, TanStack, Mistral AI, and Grafana Labs over the past six months.

What Happened

The Intrusion: One Poisoned Extension, One Endpoint

GitHub's account of the intrusion is, in mechanical terms, brief. A GitHub employee installed a malicious version of a Visual Studio Code extension on a work device. The poisoned version was reportedly identified on the employee endpoint on or around May 19, 2026. From that single compromised endpoint, the attacker reached GitHub-internal source-code repositories and exfiltrated them. There is no novel exploit chain in this story, no zero-day, and no remote intrusion against GitHub's perimeter. The entire breach turns on a developer trusting an extension — and the extension being malicious. GitHub says it removed the malicious extension version, isolated the affected endpoint, and opened a formal incident response.

The Scope: Roughly 3,800 Internal Repositories

GitHub assesses with current confidence that approximately 3,800 of its internal repositories were exfiltrated. The company has described TeamPCP's own claim of roughly 3,800 repositories as 'directionally consistent' with its investigation — a measured phrasing that neither fully ratifies nor disputes the attacker's number. GitHub states it has found no evidence that customer organizations, enterprises, or user repositories were impacted. That statement carries an important qualifier: it reflects what GitHub knows at the time of disclosure, and the investigation is ongoing. What the exfiltrated internal repositories actually contain — product source code, internal tooling, security infrastructure, or some combination — has not been detailed publicly, and neither GitHub nor outside researchers have confirmed whether any secrets, signing keys, or credentials were embedded in them.

The Suspected Extension Has Not Been Confirmed

GitHub has not formally named the extension that delivered the payload. The strongest publicly available candidate, by timing, attribution, and scale, is nrwl.angular-console version 18.95.0 — the Nx Console extension, which carries more than 2.2 million Visual Studio Code installs and was published to the Marketplace at 12:36 UTC on May 18, 2026 with malicious code injected into its main.js file. Researchers at StepSecurity documented the Nx Console compromise independently. But the link between that compromised extension and the GitHub breach is circumstantial — it rests on timing, on shared TeamPCP attribution, and on the scale of the install base, not on confirmation from GitHub. The CyberSignal is reporting the Nx Console candidate as exactly that: the leading hypothesis, not an established fact.

Scope and Impact

What makes the GitHub breach significant is not that it is unprecedented tradecraft — it is that it is the same tradecraft, pointed at the highest-value possible target. Over roughly six months, TeamPCP has compromised Aqua's Trivy security scanner, Checkmarx KICS, the LiteLLM library, the Telnyx SDK, SailPoint, TanStack, Mistral AI, and Grafana Labs. Its primary weapon is Mini Shai-Hulud, the adapted self-replicating worm it built and then open-sourced. The CyberSignal has tracked the cluster's escalation across the spring: the original Mini Shai-Hulud wave that compromised TanStack and Mistral AI; TeamPCP's $25,000 Mistral source-code auction; the copycat clones that hit npm within a week of TeamPCP open-sourcing the worm; and, on May 19, a parallel wave that minted valid Sigstore provenance badges for malicious @antv packages. GitHub is the same playbook reaching its logical endpoint.

Several material questions remain open. GitHub has not said how long TeamPCP had access before detection, whether the compromised employee held elevated or privileged repository access, or whether the breach exposed product source code, internal security tooling, or both. It is not publicly confirmed whether any secrets or signing keys were embedded in the exfiltrated repositories — a question that matters enormously, because keys in source control would extend the blast radius well beyond the code itself. Nor is it confirmed whether a buyer has purchased the data or whether TeamPCP will follow through on its stated intent to leak it. And while the GitHub breach and the May 19 @antv Sigstore wave share TeamPCP attribution, there is no public evidence that the two operations are linked beyond that shared actor.

Response and Attribution

GitHub's response was, by current assessment, fast enough to matter. Removing the malicious extension version, isolating the compromised endpoint, and opening incident response appears to have held the blast radius to internal repositories rather than customer data — though that assessment is provisional. For every other engineering organization, the immediate action is an audit: inventory every Visual Studio Code, Cursor, and JetBrains extension installed across the developer fleet, with particular attention to anything installed in the May 17-20 window. If Nx Console (nrwl.angular-console) is present anywhere, version 18.95.0 specifically should be treated as compromised — removed, rolled back to a known-good version, and followed by rotation of every credential (GitHub tokens, npm tokens, cloud credentials, SSH keys, Vault secrets) on any machine that ran it. This is the same endpoint-credential-rotation discipline The CyberSignal has urged through the node-ipc stealer-backdoor compromise and the broader developer-tooling supply-chain wave.

One detail deserves to be read carefully. TeamPCP explicitly framed its BreachForums listing as a sale and said it is 'not interested in extorting GitHub.' That framing is not a courtesy — it is a deliberate legal-exposure hedge. Extortion statutes and data-trafficking statutes are not the same, and presenting stolen data as a commodity for sale rather than as leverage against the victim is a calculated positioning choice. It is the same framing TeamPCP used for its $25,000 Mistral AI source-code auction, and it is worth flagging for policy and regulator-engagement teams: the legal architecture around stolen-data marketplaces has not caught up with how these actors now operate. The same week, Grafana Labs refused a CoinbaseCartel ransom outright — a reminder that the monetization layer of these breaches is fragmenting into auctions, ransoms, and brokered sales, each with different legal and defensive implications.

The CyberSignal Analysis

Signal 01 — The Developer-Trust Surface Is Now the Primary Enterprise Attack Vector

The most important takeaway is also the simplest: TeamPCP did not need a novel exploit to breach GitHub. It used the developer-trust surface — the implicit trust developers extend to IDE extensions, package registries, and the tooling that runs on their endpoints. GitHub is the highest-value victim imaginable, the platform the global software industry is built on, and it was reached the same way Trivy, Checkmarx, LiteLLM, TanStack, and Mistral AI were reached. CISOs should brief their boards on exactly this point. If GitHub is reachable through a poisoned extension on one employee's laptop, every organization is reachable through the same vector. The supply-chain risk register needs re-baselining: IDE extensions, package registries, and CI/CD secrets are Tier 1 concerns now, not peripheral ones. It is the closing argument of a months-long pattern The CyberSignal has documented since GitHub's own CVE-2026-3854 cross-tenant exposure.

Signal 02 — IDE Extension Marketplaces Are an Unreviewed Supply Chain

The Visual Studio Code Marketplace has no meaningful pre-publication malware review. An extension can be published, accrue millions of installs, and ship a malicious update — and the first line of defense is a developer noticing. That is not a supply chain; it is an honor system. Engineering organizations should move IDE extensions formally into their software-supply-chain threat model and implement extension allowlisting for developer IDEs, treating the marketplace as an untrusted source by default. DevSecOps and platform teams should deploy endpoint telemetry that watches IDE extension processes for anomalous behavior — outbound connections, credential-file access, child-process spawning — and SOC teams should hunt for connections from Code.exe and IDE child processes to non-Microsoft infrastructure. The GitHub breach is the canonical incident; build the 'compromised IDE extension' playbook around it.

Signal 03 — Zero-Standing-Privilege for Developer Endpoints Is No Longer Optional

The GitHub breach demonstrates that a single developer endpoint can expose thousands of internal repositories. The structural defense is to ensure no developer endpoint has that much standing reach in the first place. Restrict developer access to internal repositories through just-in-time access grants and short-lived tokens; segment developer workstations from production-credential access; and assume any developer laptop can be compromised through its tooling. The question a CISO should be able to answer after this incident is not 'are our developers careful?' but 'if one developer laptop is fully compromised tonight, how many repositories does the attacker reach?' For GitHub, that number was roughly 3,800. The goal of zero-standing-privilege developer environments is to make that number as close to zero as the work allows.

Sources