The Reveal Platform
A suspected compromise involving a malicious VS Code extension has led to unauthorized access to GitHub internal repositories, with threat actor TeamPCP claiming to possess nearly 4,000 repositories allegedly stolen from the platform.
The threat actor advertised the alleged data sale on underground forums and shared multiple sample files, including repository listings, internal Ruby source code, billing logic, and backend application files related to GitHub services. The actor claimed the operation was financially motivated and intended for data monetization rather than direct ransomware extortion.
GitHub later confirmed unauthorized access to internal repositories and stated that the incident originated from a compromised employee device affected by a malicious VS Code extension. The company also clarified that there was no evidence suggesting customer repositories, organizations, or enterprise customer data were impacted.
The incident highlights the growing security risks surrounding developer environments, third-party extensions, and software supply chain ecosystems.
Fig 1: Underground forum post about Github Source code sale
Organization: GitHub
Sector: Software Development / Code Hosting and Cloud Collaboration Platform
Location: Headquartered in San Francisco, California, United States
Operational Significance:
GitHub is one of the world’s largest software development platforms, providing source code hosting, version control, collaboration tools, and DevOps services for millions of developers, enterprises, and open-source projects. It plays a critical role in the global software ecosystem and supports development workflows, CI/CD operations, and collaborative coding activities across multiple industries.
The breach claims are associated with a threat actor identified as TeamPCP based on underground forum activity and publicly shared samples. The incident is currently assessed as High Severity with Moderate Confidence, as portions of the claims remain under investigation despite GitHub confirming unauthorized repository access.
TeamPCP is a financially motivated cybercriminal group known for targeting developer ecosystems, cloud platforms, and software supply chain infrastructure. The group has previously been linked to attacks involving GitHub Actions, Docker Hub, VS Code extensions, PyPI packages, and other trusted software repositories.
Unlike traditional ransomware-focused groups, TeamPCP frequently abuses legitimate software ecosystems, exposed services, and weak configurations to gain unauthorized access and monetize compromised data.
The group’s operational behavior aligns with modern supply chain-focused intrusion activity targeting platforms that provide broad downstream access into enterprise environments.
GitHub is one of the world’s largest software development and collaboration platforms, supporting millions of developers, enterprises, and open-source projects globally.
Because GitHub powers development workflows, CI/CD pipelines, and source code management across multiple industries, any compromise involving internal repositories raises broader software supply chain and trust concerns across the global developer ecosystem.
GitHub confirmed that it is investigating unauthorized access to internal repositories and stated that the incident originated from a compromised employee device affected by a malicious VS Code extension.
Fig 2: Github official confirmation about incident
According to GitHub, the company quickly responded by:
GitHub also stated that current findings suggest only internal repositories were impacted and that there is currently no evidence indicating compromise of customer repositories, organizations, or enterprise customer data.
The company further noted that the threat actor’s claim involving approximately 3,800 repositories appears consistent with findings identified during the investigation.
Fig 3: Github investigation updates
The reported use of a malicious VS Code extension highlights the growing threat posed by trusted developer tooling and extension ecosystems.
VS Code extensions often operate with significant permissions inside developer environments and may access:
A malicious extension can potentially serve as an effective initial access vector for attackers seeking to compromise engineering environments and gain access to internal development infrastructure.
Developer workstations have increasingly become high-value targets because they frequently contain privileged credentials, internal repository access, CI/CD integrations, and cloud authentication tokens.
This incident demonstrates how software supply chain attacks are evolving beyond package-level compromise into broader attacks targeting developer ecosystems and trusted productivity tools.
The threat actor claimed that the incident was not intended for ransomware deployment or direct extortion of GitHub. Instead, the actor stated that the objective was to monetize the allegedly stolen data through private sales on underground forums.
According to the forum post:
The pricing structure and auction-style negotiation model suggest financially motivated monetization rather than ideological or politically motivated activity.
Fig 4: Selling price of GitHub data on the dark web
Forum members showed interest in the alleged GitHub repository sale, with several users discussing the possibility of public data release if no buyer completed the purchase.
One account associated with the name “LAPSUS$” also commented on the post, further increasing visibility and engagement surrounding the incident within underground communities.
Fig 5 : Underground Community Reacts to Alleged GitHub Data Sale
The threat actor shared repository archive listings as sample evidence supporting claims of access to internal GitHub repositories.
The exposed repository names appeared to reference:
Fig 6: List of leaked Github repositories
Exposure of internal repository structures may provide attackers with valuable insight into backend architecture, operational workflows, internal tooling, and development practices.
The leaked Ruby code samples appear to contain backend business logic associated with GitHub organization onboarding and billing workflows.
The code also demonstrated the use of:
Fig 7: VAT code Validation & Billing Logic in Organization Onboarding
Fig 8: Inside GitHub Org Billing: Leaked Signup, Plan Logic & Secure Deletion Workflow
Although the shared code does not currently indicate direct customer data exposure, disclosure of internal business logic may provide adversaries with insights into GitHub’s backend operational structure and validation mechanisms that could assist future targeted attacks.
Additional samples shared by the threat actor appeared to reference internal application modules associated with:
These references suggest visibility into portions of GitHub’s internal backend structure and development environment.
Fig 9: Leaked Ruby source code files of the Github
Organizations should strengthen security controls around developer environments and trusted tooling to reduce the risk of similar supply chain-related incidents.
Organizations can also leverage advanced detection capabilities within Gurucul SIEM and UEBA platforms to detect anomalous developer behavior, suspicious repository access, malicious extension activity, and credential abuse through behavioral analytics and telemetry correlation.
The GitHub incident demonstrates how modern threat actors are increasingly targeting developer environments and trusted tooling instead of directly attacking large-scale platforms.
By leveraging a malicious VS Code extension to compromise an employee device, the attackers reportedly gained access to internal repositories and attempted to monetize the allegedly stolen data through underground marketplaces.
While GitHub stated that no evidence currently suggests customer repository exposure, the incident highlights the broader security implications surrounding software supply chains, developer tooling, and trusted extension ecosystems.
As software environments become increasingly interconnected, compromises involving developer workstations, extensions, and internal repositories may create downstream risks that extend far beyond a single organization.
