GitHub probes suspected cyberattack claims

GitHub said on May 20 that it was investigating unauthorized access to its internal repositories after the threat actor TeamPCP claimed it had stolen source code and other internal data. The Microsoft-owned company said it had “no evidence of impact to customer information stored outside of GitHub’s internal repositories,” including customer enterprises, organizations and repositories. GitHub later said the intrusion began with a compromised employee device tied to a poisoned Visual Studio Code extension published by a third party. The company said it removed the malicious extension version, isolated the endpoint and began incident response immediately. ### How did GitHub say the intrusion began? GitHub said the compromise was detected and contained on Monday, May 18, after an employee device was hit by the poisoned VS Code extension. In its security update, the company said it removed the malicious extension version from circulation, isolated the affected endpoint and started incident response right away. The company also said it rotated critical secrets on Monday and into Tuesday, prioritizing the highest-impact credentials first. (github.blog) GitHub said it was still analyzing logs, validating the secret rotation work and monitoring its infrastructure for any follow-on activity. ### What does GitHub say was taken? GitHub said its “current assessment” is that the activity involved exfiltration of GitHub-internal repositories only. (github.blog) The company added that the attacker’s claim of about 3,800 repositories was “directionally consistent” with its investigation so far. GitHub also said some of its internal repositories contain customer information, including excerpts of support interactions. (github.blog) The company said it would notify customers through established incident-response and notification channels if investigators find any confirmed impact. ### What did TeamPCP claim publicly? Yahoo Tech, citing the group’s posts, reported on May 21 that TeamPCP claimed to have stolen internal source code and data tied to thousands of repositories from GitHub. (github.blog) The report said GitHub and parent Microsoft had opened an investigation and cited ongoing forensic work. The Hacker News reported that TeamPCP listed the alleged data for sale on a cybercrime forum and said the dump included about 4,000 repositories, with an asking price of at least $50,000. (github.blog) The publication also reported a post attributed to the group saying it was “not a ransom” and that the data would be leaked if no buyer was found. ### Why is TeamPCP a known name in software security circles? (tech.yahoo.com) Microsoft’s security research team said on March 24 that TeamPCP had been tied to the Trivy supply-chain compromise reported on March 19. Microsoft said that campaign expanded to other frameworks including Checkmarx KICS and LiteLLM, and described the group’s objective as harvesting credentials and other sensitive data from developer and CI/CD environments before exfiltration. (thehackernews.com) That earlier attribution matters because the latest GitHub incident also centers on developer tooling and repository access. GitHub has not publicly said whether the current investigation has established the full scope of any downstream exposure beyond the internal repositories it has identified so far. ### What should users watch for next? (microsoft.com) GitHub said it would contact affected customers if investigators uncover confirmed impact beyond its internal repositories. The company has not yet published a final incident report, but its May 20 security post said the investigation remains active and that monitoring and log analysis are continuing. (github.blog) (microsoft.com)