GitHub Hacker Claims Security Breach Involved About 4,000 Internal Repositories, Takes Bids on Stolen Data

GitHub confirmed on May 19 that a security breach exposed at least 3,800 internal repositories, attributed to the hacker group TeamPCP. The attack originated from a compromised VS Code extension, which GitHub has since removed. The company stated no customer data was impacted but acknowledged the breach could still pose risks to source code and internal development processes. TeamPCP, a relatively new but active hacking group, claimed responsibility and partnered with Lapsus$ to sell the stolen data on an underground portal. The asking price rose from $50,000 to $95,000 after moving the listing from BreachForums to Lapsus$’s platform. The group has previously exploited vulnerabilities in React2Shell and Aqua Security’s Trivy scanner, demonstrating a pattern of targeting open-source and developer tools. GitHub’s statement reassured users that no customer repository data or internal customer information was compromised. However, security experts warned the breach could have long-term implications, as unauthorized access to source code and secrets could enable further attacks. Boris Cipot, Principal Security Engineer at Black Duck, emphasized that developers must treat their supply chain as a critical security risk, enforcing multi-factor authentication, limiting third-party integrations, and regularly rotating credentials. The incident has raised concerns about GitHub’s role in the global software supply chain, given its widespread use by developers and organizations. While GitHub has taken steps to mitigate the breach, the incident highlights ongoing vulnerabilities in developer tools and the need for heightened security across the industry. Experts urge teams to adopt a proactive approach, treating development environments with the same security rigor as production systems.