GitHub, the cloud-based hosting service used by software developers to store and manage code, has confirmed a major security incident involving an employee. A May 20 posting to the X social media platform by the GitHub account has stated that “the attacker’s current claims of 3,800 repositories are directionally consistent with our investigation so far.” The good news, if you can call it that, is that the investigation appears to suggest that the TeamPCP hackers have only exfiltrated GitHub-internal repositories. The bad news, however, is that TeamPCP reckons it now has access to GitHub's source code.

TeamPCP Hacking Group Put Stolen GitHub Data Up For Sale

The hacking of GitHub, which Microsoft acquired for $7.5 billion in 2018, is a big deal no matter which way you cut it. Used by 4 million organizations and 180 million developers, the cloud platform has more than 400 million code repositories in total. You might think, therefore, that a breach involving just 3,800 of them isn’t all that newsworthy. But context is everything, and in this case, that context comes in twofold: the repositories appear to be internal GitHub ones, and the breach itself was inadvertently enabled by a GitHub employee.

The compromise was detected by GitHub security teams on May 19, sparking an immediate investigation. GitHub said then that it had “no evidence of impact to customer information stored outside of GitHub’s internal repositories,” but was alert and closely monitoring for any follow-on activity.

Currently, no further information regarding what happened beyond it involving the compromise of a GitHub employee device after they installed a malicious VS Code extension is available. This is not unusual while the investigation is ongoing. GitHub has said it will publish a full report once the investigation is completed.

“We moved quickly to reduce risk,” a GitHub spokesperson said , “critical secrets were rotated yesterday and overnight with the highest-impact credentials prioritized first.” TeamPCP member “box turtle” has claimed , however, that “Github knew for hours, they delayed telling you and they wont be honest in the future,” regarding the breach.

TeamPCP has posted a for-sale notice on a notorious hacking forum that said it wants at least $50,000 for the stolen data, including “Github’s source code and internal orgs,” adding that “no low-ball offers will be accepted.” That posting also stated that TeamPCP is not holding GitHub to ransom but rather just looking to sell to a single buyer after which the data will be shredded. The hacking group warned, however, that “if no buyer is found we will leak it free.”

GitHub users should remain alert to any follow-on threats that leverage fear, uncertainty and doubt about the TeamPCP breach to attempt to access accounts through targeted phishing attacks. GitHub says that users should enable two-factor authentication and add a passkey for good measure by way of account protection.