A notorious threat actor operating under the alias TeamPCP has claimed responsibility for breaching GitHub’s internal systems, allegedly exfiltrating proprietary source code and organization data.
The group is now offering the stolen dataset for sale on underground cybercrime forums, demanding bids exceeding $50,000.
First surfaced by Darkweb Informer, the compromised data allegedly encompasses approximately 4,000 private repositories tied directly to GitHub’s main platform.
To substantiate their claims, TeamPCP published a public file list alongside screenshots displaying numerous repository archive names, while expressing willingness to provide data samples to verified buyers upon request.
GitHub Confirms Active Investigation
Following rapid circulation of these claims across threat intelligence channels, GitHub publicly acknowledged an active investigation. In a statement released via X, the company stated:
“We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories, we are closely monitoring our infrastructure for follow-on activity.”
GitHub has not disclosed how the alleged access was obtained, nor confirmed or denied the validity of the 4,000-repository figure. The investigation remains ongoing.
Formally tracked by the Google Threat Intelligence Group as UNC6780, TeamPCP is a highly capable and financially motivated threat actor with a well-documented 2026 campaign history:
- Trivy Vulnerability Scanner – Exploited via CVE-2026-33634, resulting in breaches affecting over 1,000 organizations, including Cisco
- Checkmarx and LiteLLM – Targeted in a high-velocity credential harvesting campaign focused on CI/CD pipeline infiltration
- Shai-Hulud Malware – The group leaked source code for their custom malware directly onto GitHub using compromised accounts
TeamPCP’s established operational pattern leveraging stolen CI/CD credentials and privileged access tokens to pivot deeper into target infrastructure lends significant credibility to the current claim.
GitHub, as the global central hub for software development pipelines, is a high-value target perfectly aligned with the group’s known attack methodology.
If validated, a breach of 4,000 private GitHub repositories could trigger cascading supply chain consequences across thousands of downstream organizations, developers, and enterprise customers mirroring the scale of previous TeamPCP campaigns.
Mitigations
Organizations are advised to take the following immediate steps:
- Audit repository access logs for anomalous activity
- Rotate all privileged access tokens and OAuth credentials
- Monitor CI/CD pipelines for unauthorized modifications or injections
- Enable GitHub Advanced Security alerts where applicable
- Review third-party integrations with elevated repository permissions
Further updates are expected as GitHub’s investigation progresses.
No Comment! Be the first one.