Earlier today, attackers accessed GitHub’s internal repositories after compromising an employee’s computer through a malicious Visual Studio Code extension.
After the intrusion, reports surfaced that an actor using the alias “TeamPCP” was allegedly advertising roughly 4,000 of GitHub’s private repositories for sale on a cybercriminal forum, with a minimum asking price reported at $50,000.
GitHub’s Account of the Incident
GitHub confirmed the breach through posts on its official X account, describing the initial findings. According to the company, the attacker gained entry to an internal repository by using a tainted VS Code extension installed on an employee’s device.
GitHub said it removed the malicious extension from the affected machine as soon as the attack was detected. Crucially, the company stated there is no current evidence that customer data stored outside GitHub’s internal systems — including individual users’, enterprises’, organizations’, or external repositories — was accessed.
GitHub also reported that it acted quickly to rotate credentials, prioritizing the most sensitive secrets first. The company is reviewing logs to determine whether there was any further activity and will provide more information when the investigation is complete.
Independent cybersecurity researcher Sébastien Latombe flagged a listing on a criminal forum from a user named “TeamPCP” that claims responsibility for the attack. The listing mentioned repositories related to GitHub Actions, GitHub Enterprise, GitHub Copilot, Azure, CodeQL, billing, and authentication services.
According to the forum post, the threat actor is apparently seeking a single buyer rather than attempting to extort GitHub, with a claimed minimum price of $50,000. However, neither GitHub nor Microsoft has confirmed the contents of that listing, and claims on criminal forums should be treated cautiously. Such posts can be outdated, inaccurate, or exaggerated to inflate perceived value.
Security Concerns Ripple Through the Crypto Community
The breach prompted immediate concern across the developer and crypto communities. Binance co-founder Changpeng Zhao (CZ) urged developers to act quickly, advising anyone with API keys in code — even in private repositories — to double-check and rotate those keys.
“If you have API keys in your code, even private repos, now is the time to double check and change them.”
Responses from the community emphasized that storing sensitive keys in repositories is risky. Aaron Shames, founder of Topaz DEX, called storing API keys in any repository “bad practice,” while acknowledging CZ’s warning. Many developers noted that for teams managing hundreds of keys across multiple projects, replacing all affected credentials is a significant and time-consuming challenge.
“This entire practice of key storage needs an update.”
Security commentator Dhanush Nehru highlighted broader concerns about extension permissions:
“No one knows what all permissions each VS Code extension owns. The cybersecurity threat landscape is scary.”
The timing of this incident amplified already-elevated concerns in the crypto space, which has experienced several high-profile breaches recently. Those include the Echo Protocol exploit, where attackers minted approximately $76.7 million worth of eBTC, and other multimillion-dollar incidents targeting projects such as THORChain and the Verus-Ethereum bridge.
These events have fueled renewed discussion about software supply chain security, code verification, and best practices for credential management. Prominent voices in the space, including Vitalik Buterin, have suggested that advances such as formal verification — potentially aided by AI — could strengthen security by providing mathematical guarantees about software behavior.
As the investigation into the GitHub incident continues, developers and organizations should assume the possibility of exposed secrets and take immediate steps to inventory, rotate, and secure credentials, review access controls, and limit the use of sensitive information in code repositories. Ensuring that extensions and other development tools come from trusted sources and are kept up to date can also help reduce exposure to similar supply chain attacks in the future.