GitHub is a platform where developers store their source code. More than 180 million people and 4 million companies use the platform. But in a strange turn of events, the same platform built to host and protect code is now dealing with a code leak of its own.
On Tuesday, a hacker group known as TeamPCP, which has been linked to several cyberattacks this year, listed alleged internal repositories from GitHub for sale on a cybercrime forum for $50,000. The leaked repositories are reportedly around 4,000 in total.
How did this GitHub leak happen?
For such a huge number of repositories to reportedly be breached, you’d expect a highly sophisticated operation. But that does not appear to be what happened here. According to reports, the breach began after an employee installed a malicious Visual Studio Code extension. That single action allegedly gave attackers access to GitHub’s internal systems.
If those internal repositories are truly exposed, attackers could potentially learn how GitHub’s systems work behind the scenes, something that could create broader security concerns.
Screenshots shared online also show TeamPCP discussing the leak. “As always, this is not a ransom. We do not care about extorting GitHub, 1 buyer and we shred the data on our end… if no buyer is found, we leak it for free,” the group reportedly said.
GitHub, however, says it has already taken steps to contain the breach. In a post on X, the company said: “Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only. The attacker’s current claims of ~3,800 repositories are directionally consistent with our investigation so far. We moved quickly to reduce risk. Critical secrets were rotated yesterday and overnight, with the highest-impact credentials prioritized first.”
The company also stressed that, so far, there is no evidence that customer repositories or user data were affected. GitHub previously stated that “we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories).”
A supposed account linked to TeamPCP later pushed back against GitHub’s response, posting on X: “GitHub knew for hours; they delayed telling you and they won’t be honest in the future. What an amazing run, it’s been an honor to play around with the cats over the past few months.”
Code-hosting platforms have become prime targets for attackers over the years because they sit at the centre of the software supply chain. Back in 2022, GitHub disclosed that attackers stole OAuth tokens from third-party integrations, allowing limited access to dozens of organisations’ private repositories.
Similar incidents have also hit platforms like GitLab and Codecov. The Codecov breach in 2021 became particularly infamous after attackers modified a script used in CI/CD pipelines, exposing customer credentials across multiple companies.
What GitHub users should do now?
Same as always. Turn on two-factor authentication, add a passkey, and be cautious of phishing emails or fake security alerts. Cybercriminals often use high-profile breaches like this to trick users into giving away credentials.
GitHub says the investigation is still ongoing, while TeamPCP claims it already has the data. For now, no customer information has been confirmed stolen. But a breach involving the world’s largest code-hosting platform is never a small story, especially when the attackers are already threatening to leak everything for free.
Ogbonda Chivumnovu
