GitHub has stated that there is currently no evidence suggesting customer repositories or external enterprise data were compromised.
Earlier today, hackers reportedly gained access to GitHub’s internal repositories after exploiting an employee’s device through a malicious VS Code extension.
Following the breach, reports surfaced claiming that a threat actor operating under the alias TeamPCP is attempting to sell what is allegedly around 4,000 private GitHub repositories on a cybercriminal forum, with a minimum asking price of $50,000.
What GitHub Says Happened
GitHub confirmed the security incident through a series of posts on its X account, outlining the details known so far. According to the company, the attacker accessed an internal repository through a malicious VS Code extension installed on an employee’s machine.
The company stated that once the attack was detected, the malicious software was immediately removed from the compromised device. GitHub also emphasized that there is currently no evidence indicating that customer data stored outside its internal systems, including enterprise accounts, organizations, or user repositories, was accessed.
GitHub further explained that it quickly rotated credentials, prioritizing the most sensitive secrets first. The company is also reviewing logs to determine whether any additional unauthorized activity occurred and said more information will be shared once the investigation is complete.
Meanwhile, French researcher Sébastien Latombe highlighted a listing on a criminal forum posted by a threat actor known as TeamPCP. The listing allegedly references repositories connected to GitHub Actions, GitHub Enterprise, GitHub Copilot, Azure, CodeQL, billing systems, and authentication services.
According to the claims, the attackers are not attempting to extort GitHub directly but are instead seeking a single buyer for the stolen data, with a reported minimum price of $50,000.
However, neither GitHub nor Microsoft has officially confirmed the authenticity of the data mentioned in the forum post. Claims made on cybercriminal forums are often exaggerated or based on outdated material intended to increase the perceived value of the data.
Security Concerns Spread Across Crypto Industry
Reaction to the breach spread rapidly online, particularly within the crypto industry. Changpeng Zhao, widely known as CZ, urged crypto developers to immediately review and rotate any exposed API keys.
He warned:
“If you have API keys in your code, even private repos, now is the time to double check and change them.”
The responses highlighted a long standing issue across the industry. Aaron Shames described storing API keys in repositories, whether public or private, as poor security practice, while still appreciating the warning.
Others pointed out that developers managing hundreds of keys across multiple projects face a far more complicated challenge.
Digital artist Tuteth commented that the entire approach to key storage requires modernization.
Security commentator Dhanush Nehru also raised concerns about the broader software ecosystem, warning that many developers have little visibility into the permissions granted to VS Code extensions and describing the cybersecurity landscape as increasingly alarming.
The timing of the breach has intensified ongoing concerns about crypto security, especially following several major attacks this month. These include the breach of Echo Protocol, where hackers reportedly minted $76.7 million worth of eTC.
That attack came shortly after multimillion dollar exploits targeting THORChain and the Verus Ethereum Bridge.
The growing number of incidents has reignited discussions around code verification and software supply chain security. Vitalik Buterin recently argued that AI assisted formal verification could help make software more secure by mathematically proving how programs behave.#crypto#cryptonewshttps://coinsignals.net https://t.me/coinsignalpublic
