GitHub confirmed on May 20 that approximately 3,800 of its internal repositories were exfiltrated after a threat actor compromised an employee device through a poisoned VS Code extension. The platform, which serves over 180 million developers and 4 million organizations including 90 percent of Fortune 100 companies, stated it currently has no evidence of impact to customer data stored outside its internal repositories but is closely monitoring infrastructure for follow-on activity.

The breach has been attributed to TeamPCP, a financially motivated cybercrime group tracked by Google Threat Intelligence Group as UNC6780. The group posted proof of the stolen data on the Breached underground hacking forum, listing GitHub source code and internal organizational data for sale with a minimum asking price of $50,000. TeamPCP threatened to leak the data for free if no buyer is found and claimed GitHub delayed notifying the public by several hours after learning of the compromise.

The attack originated from the hijacked Nx Console VS Code extension version 18.95.0, which was briefly available on the VS Code Marketplace on May 18. Although the malicious version was live for only 11 minutes before removal, the payload executed silently within seconds of a developer opening any workspace, fetching a 498 KB obfuscated credential stealer from a dangling orphan commit hidden inside the official nrwl/nx GitHub repository. The stealer harvested tokens from GitHub, npm, AWS, Azure, Kubernetes, HashiCorp Vault, and SSH keys, then exfiltrated data through three independent channels using HTTPS, the GitHub API, and DNS tunneling.

The breach is part of TeamPCP's broader campaign dubbed Mini Shai-Hulud, a self-replicating supply chain worm that automates attacks by stealing CI/CD credentials and using them to compromise downstream packages. The group has compromised over 170 packages across npm and PyPI in recent weeks, including the TanStack npm packages and Microsoft's durabletask PyPI package which receives approximately 417,000 monthly downloads. Internal repositories typically contain infrastructure configurations, deployment scripts, and staging credentials that could enable further attacks against GitHub's architecture.

GitHub stated its assessment is that the activity involved exfiltration of internal repositories only and that the attacker's claims of approximately 3,800 repositories are directionally consistent with its investigation. The company has isolated the compromised endpoint, rotated critical secrets and credentials overnight, and committed to publishing a fuller incident report once the review is complete. This marks the third major GitHub security event in six weeks following a merge queue regression and CVE-2026-3854, a critical remote code execution vulnerability disclosed in April.

Developers and organizations are urged to audit and remove unnecessary VS Code extensions with auto-update disabled, rotate all GitHub tokens and SSH keys, enable push protection and secret scanning on repositories, and review GitHub Actions workflows for least-privilege compliance. Anyone who had Nx Console version 18.95.0 installed between 12:36 and 12:47 UTC on May 18 should treat all credentials on that machine as compromised and initiate a full credential rotation across all connected services.