Skip to content
.ca
sign in
4 minhigh

GitHub internal repositories breached

GitHub experienced an internal security incident where threat actor TeamPCP (UNC6780) compromised an employee's device using a malicious Visual Studio Code extension. The attacker harvested local developer secrets to clone approximately 3,800 internal repositories, which were subsequently listed for sale on a cybercrime forum.

Conf:highAnalyzed:2026-05-20Google

Authors: Sophos X-Ops

ActorsTeamPCPUNC6780CanisterWorm
GitHubSupply ChainVS CodeTeamPCPData Breach

Source:Sophos

Detection / HunterGoogle

What Happened

GitHub recently suffered a data breach affecting its own internal systems, though customer data and repositories remain safe. A hacker group known as TeamPCP tricked a GitHub employee into installing a malicious add-on for their programming software. This allowed the hackers to steal passwords and copy about 3,800 of GitHub's private code repositories. The stolen code was then put up for sale on a criminal forum. Organizations should review the software add-ons their developers use and ensure strict security controls around code access.

Key Takeaways

  • GitHub suffered an internal breach resulting in the theft of approximately 3,800 internal repositories.
  • Initial access was achieved via a malicious Visual Studio Code extension installed on an employee's device.
  • The threat actor, TeamPCP (UNC6780), harvested developer secrets to clone the repositories and listed them for sale.
  • Customer data, enterprise accounts, and customer repositories are reportedly unaffected by this incident.

Affected Systems

  • GitHub internal corporate estate
  • Developer endpoints running Visual Studio Code

Attack Chain

The threat actor TeamPCP gained initial access by delivering a poisoned Visual Studio Code extension to a GitHub employee's development device. Once installed, the extension harvested developer secrets and access tokens from the local IDE environment. Using these stolen credentials, the attacker authenticated to GitHub's internal systems and cloned approximately 3,800 private repositories. The stolen data was then exfiltrated and listed for sale on a cybercrime forum.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article does not provide specific detection rules, but suggests behavioral hunting strategies for IDE anomalies.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can monitor child processes spawned by VS Code, such as unexpected Git commands or credential access tools, as well as unusual network connections from developer endpoints. Network Visibility: Medium — Network monitoring can detect mass cloning activity or outbound connections to rare domains, though API traffic to GitHub is typically encrypted and may blend with legitimate developer activity. Detection Difficulty: Moderate — Detecting malicious VS Code extensions requires baseline knowledge of approved extensions. Distinguishing malicious repository cloning from legitimate developer activity relies heavily on behavioral anomalies and strict access controls.

Required Log Sources

  • EDR process execution logs
  • GitHub audit logs
  • Network proxy logs
  • DNS query logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Consider hunting for VS Code child processes spawning Git or credential tooling outside of normal developer working hours.EDR process execution logsExecutionMedium
If you have visibility into developer endpoints, look for archive downloads immediately followed by interpreter execution.EDR process execution logsExecutionMedium
Consider hunting for outbound network connections to newly registered or rare domains originating from developer workstations.Network proxy logsCommand and ControlMedium
Review source control audit logs for mass-clone behavior or unusual repository read patterns by developer accounts.GitHub audit logsCollectionLow

Control Gaps

  • Lack of strict VS Code extension allowlisting
  • Overly permissive long-lived developer tokens

Key Behavioral Indicators

  • VS Code spawning unusual child processes
  • Mass repository cloning events
  • Unapproved VS Code extensions installed

False Positive Assessment

  • Medium

Recommendations

Immediate Mitigation

  • Verify against your organization's incident response runbook and team escalation paths before acting.
  • Audit installed VS Code extensions across developer endpoints and VDI images, flagging unapproved publishers or recent permission expansions.
  • Rotate any long-lived developer access tokens that may have been exposed on potentially compromised hosts.

Infrastructure Hardening

  • Enforce short-lived tokens, scoped access, and Single Sign-On (SSO) for all source control environments.
  • Implement strict allowlisting for IDE extensions to prevent the installation of unverified or typosquatted tools.

User Protection

  • Monitor developer endpoints for anomalous behavior, such as unusual child processes spawning from IDEs.
  • Restrict shell integration or task execution capabilities for unverified extensions on trusted repositories.

Security Awareness

  • Educate developers on the risks of installing unapproved or third-party IDE extensions.
  • Train engineering teams to recognize typosquatted packages and extensions in development environments.

MITRE ATT&CK Mapping

  • T1195.002 - Compromise Software Supply Chain
  • T1555 - Credentials from Password Stores
  • T1003 - OS Credential Dumping
  • T1078 - Valid Accounts
  • T1608.004 - Drive-by Compromise
  • T1210 - Exploitation of Remote Services
  • T1105 - Ingress Tool Transfer

Related