One GitHub Employee Installed a VS Code Extension—Now TeamPCP Is Selling 3,800 of GitHub's Internal Repositories for $50,000

What Happened

On May 20, 2026, BleepingComputer reported that GitHub had confirmed an internal breach after a hacking crew calling itself TeamPCP posted listings on the Breached cybercrime forum offering source code from approximately 3,800 GitHub-internal repositories for sale.

The entry point was almost mundane. According to GitHub's own statement, an unnamed employee installed a malicious VS Code extension from the official Visual Studio Code Marketplace. The poisoned plugin ran on the developer's device, harvested credentials and tokens, and gave the attackers access to repositories the public was never supposed to see. GitHub removed the extension, isolated the compromised endpoint, and began incident response.

TeamPCP's asking price for the trove: $50,000. Their pitch on the forum was efficient. "1 buyer and we shred the data on our end" if someone paid up; otherwise they would leak the lot for free.

The Numbers GitHub Confirmed

From The Hacker News and GitHub's official acknowledgement:

• ~3,800 internal repositories exfiltrated, "directionally consistent with our investigation so far"
• One compromised endpoint—a single employee's device running the trojanized extension
• $50,000 ransom demanded on the Breached forum
• 4 million organizations use GitHub, including 90% of the Fortune 100
• 180+ million developers store 420+ million repositories on the platform
• No customer data stored outside the affected internal repos was impacted, according to GitHub's current assessment

The phrasing "directionally consistent" is what auditors say when they have not yet finished counting. The actual number could shift up or down once forensics finishes.

TeamPCP, Mini Shai Hulud, and the Nx Console Connection

TeamPCP—also tracked as UNC6780—is not a one off. Help Net Security describes the group as specializing in supply chain attacks against open source security utilities and AI middleware. Past hits include PyPI, NPM, Docker, and a campaign known as Mini Shai Hulud that targeted OpenAI employees.

The timing of this breach matters. Two days earlier, on May 18, an attacker briefly published a malicious version of Nx Console—a VS Code extension with 2.2 million installs—that scraped 1Password vaults, Claude Code configs, and SSH keys before being pulled eleven minutes later. The Nx Console payload knew exactly which credential files to grab. Several researchers have publicly speculated the GitHub breach is the downstream result of one of those eleven minute infections landing on a GitHub laptop.

GitHub has not named the extension that compromised its employee. It also has not confirmed the Nx Console theory. But the modus operandi matches: poisoned VS Code package, harvest local secrets, pivot to whatever those secrets unlock.

Why "Internal Only" Is Not as Reassuring as It Sounds

GitHub's repeated emphasis that "no customer data was affected" is technically accurate. The breached repos are GitHub's internal codebase—not user code stored on the platform. But internal repos at a code hosting company are unusually valuable for two reasons.

First, the source code is the product. Anyone who buys the dump gets to read how GitHub's authentication, billing, abuse detection, and federation systems work. That is a free penetration testing dossier on every customer's deployment.

Second, internal repos almost always contain operational secrets. Hardcoded API keys, signing certificates, infrastructure topology diagrams, and credentials for staging environments routinely live in private repos because nobody expects them to be read by outsiders. Even at security mature companies, the rate at which secrets leak into private code is high enough that companies like GitGuardian make a business out of finding them.

Senator Maggie Hassan publicly asked CISA for an account of the breach, per The Record. Federal customers run on GitHub Enterprise; a senator's letter is rarely a positive sign for the vendor.

The Pattern: VS Code Marketplace as Credential Goldmine

In a span of 72 hours, TeamPCP weaponized the most trusted developer surface area on the planet. The VS Code Marketplace is to developer tools what the App Store is to phones: the default install path, signed by the vendor, blessed by the IDE. Microsoft does basic malware scanning on uploads, but the marketplace's threat model assumes most extension publishers act in good faith. When a publisher account is compromised, or a new account is set up to typosquat a popular package, that assumption breaks.

Once a poisoned extension lands on a developer's laptop, it runs with the same privileges as the IDE. It can read every open file. It can shell out to git. It can pull tokens from ~/.aws, ~/.ssh, ~/.config/gh, and the secret stores used by 1Password CLI, Claude Code, Cursor, and every other AI coding assistant. From there, anything those tokens unlock is reachable.

Developer laptops have become, in security architecture terms, the new domain controller. They hold the keys to production. The GitHub breach is what happens when one of those keys is in the wrong pocket for fifteen minutes.

What to Do If You're a Developer

• Audit your installed extensions. In VS Code, open Extensions and review the publisher of everything that has installed an update in the last week. Anything from a single publisher account with thousands of downloads but no organization backing should be treated as suspect.
• Disable extension auto update on production machines. Settings → search for extensions.autoUpdate → set to none. You give up convenience for a chance to read changelogs before they run.
• Rotate any credentials that lived in ~/.aws, ~/.ssh, ~/.config/gh, or any AI assistant config if you installed extension updates between May 17 and May 20.
• Use scoped, short lived tokens. Replace long lived personal access tokens with fine grained tokens limited to a single repository or organization.
• Move secrets out of repositories entirely. Use a secrets manager—Doppler, HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager—and fetch them at runtime. GitHub's Push Protection blocks most accidental commits, but only if it is on.

The Bigger Picture for Enterprises

The GitHub breach is going to land on every CISO's desk this week with the same question: "Could this happen to us?" The answer for almost every enterprise is yes, because the attack vector is mundane. The breach was not an exploit of GitHub's infrastructure. It was a developer who installed a plugin. That plugin sequence is in production at every software company on earth.

Practical defensive moves: managed extension allowlists via the extensions.allowlist policy in VS Code, EDR rules that alert on any process spawned by Code that touches credential files, mandatory hardware backed MFA for all source code access, and rotating push tokens at least monthly. None of these stop a determined attacker. All of them shrink the window between compromise and detection.

Why This Matters for Your Email

Internal repository dumps are some of the most valuable lures in the phishing economy. When attackers parse 3,800 repos, they end up with a directory of employee names, internal email addresses, project codenames, customer references, and Slack channel names. Within weeks of any leak like this, targeted phishing emails start arriving that read like internal Jira tickets: correct codenames, correct reporting structure, correct internal jargon.

Combined with email tracking pixels that confirm exactly when a target opens a message, phishing crews can time their follow ups for maximum engagement and exclude inboxes that ignore them. The GitHub leak does not just expose code—it expands the data feeding every spear phishing operation that touches the customers in those repos.

What Comes Next

TeamPCP's deadline for a buyer is short. If a buyer materializes, the data disappears from public view but the people who bought it now have it forever. If no buyer materializes, the leak goes public and any vulnerabilities baked into GitHub's internal services become an open book for every threat actor with a copy. The Mini Shai Hulud and Nx Console campaigns suggest TeamPCP is not slowing down. The next compromised extension is being uploaded as you read this.

GitHub's investigation continues. Senator Hassan's letter to CISA continues. And for every developer running stock VS Code with auto update enabled, the lesson is the same one Nx Console taught two days earlier: an extension is just code that runs as you. Treat it like code that runs as you.