GitHub confirmed it was hacked, resulting in the theft of data from approximately 3,800 internal code repositories. The platform stated there is “no evidence of impact to customer information stored outside of GitHub’s internal repositories,” while noting that its investigation is ongoing.
We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely…
— GitHub (@github) May 19, 2026
The breach stemmed from a compromised employee device linked to a poisoned VS Code extension, GitHub reported. This extension, which is a plug-in for Visual Studio Code, facilitates programming tasks for developers. Hackers increasingly target open-source projects and coding extensions to breach developers’ computers, allowing them to access multiple systems simultaneously.
GitHub did not disclose the name of the compromised extension. Reports from The Record and Bleeping Computer indicated that a hacking group named TeamPCP has claimed responsibility for the breach and is attempting to sell the stolen data on a cybercrime forum.
The company did not respond immediately to inquiries regarding whether it received any ransom demands from the attackers. TeamPCP previously took credit for a data breach at the European Commission, which resulted in the theft of over 90 gigabytes of sensitive data from the EU’s cloud storage systems. They acquired the European Commission’s cloud key in a separate breach involving Trivy, a vulnerability scanning tool, by deploying info-stealing malware.





