Did the GitHub Breach Aim to ‘Fix’ Availability? Inside the TeamPCP Attack

On May 19 2026 GitHub announced an investigation into a severe internal‑repository breach after the threat group TeamPCP posted on a dark‑web forum that it had exfiltrated about 4,000 private GitHub repositories and was offering the data for at least $50 000.

GitHub later confirmed that approximately 3,800 internal repositories were compromised and identified the attack vector as a malicious Microsoft Visual Studio Code extension installed on an employee’s workstation.

The company stated that the breach appears limited to internal repository code, with no evidence of customer data exposure, and responded by rotating critical keys and prioritising remediation of the most impacted credentials.

TeamPCP mocked GitHub on the X platform, suggesting the intrusion was “helping solve availability issues,” a claim echoed by some observers who speculated the attackers might be pressuring GitHub to improve reliability.

Timeline of events:

May 19 2026 – TeamPCP posted the sale offer on the Breached forum, providing sample verification and stating the operation was not ransomware.

May 19 2026 – GitHub issued an initial statement on X, confirming an investigation and noting no customer data impact.

May 20 2026 – GitHub updated its statement, confirming detection and containment of an employee‑device compromise involving a poisoned VS Code extension.

May 20 2026 – GitHub officially acknowledged the theft of about 3,800 internal repositories, aligning with the attacker’s claims.

The malicious extension injected code that acted as a multi‑stage credential stealer and supply‑chain poisoning tool. Although GitHub did not name the extension, it noted that the Nx Console extension had recently suffered a similar attack, with the threat actor deploying a multi‑phase credential‑stealing payload.

TeamPCP’s ransom note explicitly stated the operation was not ransomware, demanded a minimum of $50 000, and warned that the data would be released for free if no buyer emerged.

Historical context shows TeamPCP’s prior supply‑chain attacks: in March 2025 they compromised Aqua Security’s Trivy scanner, in April 2025 they infected the open‑source LiteLLM library, and in May 2026 they launched the “Mini Shai‑Hulud” campaign against packages such as TanStack, Mistral AI, and Guardrails AI, even compromising two OpenAI employee devices.

During the same period, the Mini Shai‑Hulud worm targeted the durabletask PyPI package, using stolen GitHub credentials to publish a malicious version. The payload fetched a second‑stage module (rope.pyz) from check.git-service[.]com, which harvested cloud provider tokens, password‑manager vaults (HashiCorp Vault, 1Password, Bitwarden), SSH keys, Docker credentials, VPN configs, and shell history.

Lateral movement mechanisms included AWS Systems Manager (SSM) to spread across EC2 instances and kubectl exec to propagate within Kubernetes clusters.

A geopolitical trigger was embedded: if the compromised system detected settings associated with Israel or Iran, there was a one‑in‑six chance the malware would play an audio clip and then execute rm -rf /*.

References:

https://thehackernews.com/2026/05/github-investigating-teampcp-claimed.html

https://news.ycombinator.com/item?id=48201316

https://www.bleepingcomputer.com/news/security/github-investigates-internal-repositories-breach-claimed-by-teampcp/

https://x.com/github/status/2056884788179726685

https://x.com/github/status/2056949168208552080

https://x.com/xploitrsturtle2/status/2056927898771067006

https://www.wiz.io/blog/durabletask-teampcp-supply-chain-attack

https://www.stepsecurity.io/blog/microsofts-durabletask-pypi-package-compromised-in-supply-chain-attack