GitHub announced that after an employee’s computer was compromised with a malicious VS Code extension, unauthorized access was gained to nearly 3,800 internal code repositories. Following the incident, the company launched an in-depth security investigation. The platform, acquired by Microsoft, quickly eliminated the threat it detected, removed the malicious extension, quarantined the affected system and activated the incident response protocol.
Responsible for Attack: TeamPCP
It has been confirmed that a hacker group called TeamPCP is behind the attack. Law enforcement officials and independent researchers state that this group uses largely automated infiltration techniques targeting software developers. TeamPCP claimed that it had captured approximately 4,000 repositories on GitHub servers that contained the underlying infrastructure code. The group began sharing the leaked information on underground forums to sell it for a base price of at least $50,000.
In the statement made by GitHub, it was stated that customer repositories, corporate installations and user accounts were not affected by this incident, only code repositories in internal systems were targeted.
Experts noted that the TeamPCP group attempted to capture valuable session keys and authentication information by exploiting developer environments and automated code distribution processes.
Mini dictionary: VS Code extensions are small pieces of software that add additional functionality to Microsoft’s popular code editor, Visual Studio Code. Malicious extensions can sneak into the developer’s system and access sensitive data.
Security Measures and Process
Following the incident, GitHub renewed potentially damaged access keys and began thoroughly examining system logs. The company stated that its security teams have increased surveillance to detect suspicious movements. The final report is planned to be shared with the public once the investigation is completed.
| Event | Number of Warehouses Affected | Relevant Group/Institution | Targeted Data |
|---|---|---|---|
| GitHub attack | 3,800+ | TeamPCP | Internal code, credentials |
| Grafana Labs Supply Chain | unknown | unknown | Infrastructure code, credentials |
Concerns and Warnings in the Crypto Community
Following the incident, Binance founder Changpeng Zhao made an important warning, especially to software developers in the crypto industry. Zhao called for all crypto developers to urgently revamp API credentials embedded in their code bases or stored in private repositories.
All developers are advised to immediately review and replace API keys stored in their source code, whether in open or closed repositories.
Crypto application developers make vital use of the resources and repository infrastructure provided by GitHub. Automated trading systems, wallet access keys and other confidential information can often be stored in code repositories. Experts say that storing sensitive keys directly in the code in software projects poses a great risk and recommend performing comprehensive scans, especially with special tools such as gitleaks, Trivy and GitHub Secret Scanning.
Recently, Grafana Labs company also faced a supply chain attack, causing the incident on GitHub to have repercussions throughout the industry. Additionally, with a serious security vulnerability (CVE-2026-3854) announced at the end of April, it was brought to the fore that millions of public and private repositories were at risk.
Major Platforms Are Committed to Monitoring and Notification
GitHub announced that it will continue to monitor its infrastructure at the highest level and provide regular updates until the investigation is completed.
