GitHub Confirms Cyberattack Compromising Thousands of Internal Repositories
GitHub has confirmed a significant cyberattack attributed to the cybercriminal group TeamPCP, which resulted in unauthorized access to thousands of the platform’s internal code repositories. The breach occurred after an employee’s device was compromised via a malicious Visual Studio Code extension. Despite the scale of the attack, GitHub, owned by Microsoft, has stated that there is currently no evidence indicating that customer repositories or enterprise data were affected.
Decoding the GitHub Cyberattack
On a recent Wednesday, GitHub publicly acknowledged the incident after TeamPCP reportedly advertised stolen source code on a cybercrime forum. The attackers attempted to extort GitHub by offering the stolen code for sale at $50,000, threatening to leak it publicly if no buyer emerged. This incident highlights the increasing sophistication of cybercriminal operations targeting developer-focused platforms.
In a statement shared on X (formerly Twitter), GitHub emphasized its commitment to investigating the unauthorized access. The company noted, “We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories, we are closely monitoring our infrastructure for follow-on activity.”
GitHub further stated that if any impact is discovered, customers would be notified through established incident response and notification channels. The company described the breach as “detected and contained,” asserting that the compromise was confined to internal repositories and did not extend to customer-owned data.
TeamPCP’s Growing Role in Cloud-Focused Cybercrime
Research from cybersecurity experts at Cyble has identified TeamPCP as a cloud-focused cybercriminal operation that emerged as a large-scale exploitation platform in late 2025. The group operates under various aliases, including DeadCatx3, PCPcat, PersyPCP, and ShellForce. Unlike other threat actors that rely heavily on zero-day vulnerabilities, TeamPCP has built its operations around automation and the exploitation of known weaknesses and cloud misconfigurations.
Beginning in late 2025, TeamPCP initiated extensive scanning campaigns targeting exposed Docker APIs, Kubernetes control planes, Ray dashboards, and Redis services. Once access is achieved, compromised systems are integrated into a distributed infrastructure used for proxying internet traffic, conducting additional scans, hosting command-and-control infrastructure, deploying ransomware, and executing unauthorized cryptomining operations.
Operational Structure Behind the Cyberattack on GitHub
The operational model employed by TeamPCP diverges from conventional cybercriminal campaigns by prioritizing cloud-native environments over traditional end-user devices. Instead of focusing primarily on phishing campaigns against individual users, the group targets exposed administrative services and container orchestration platforms.
Researchers have observed that TeamPCP’s attack chains typically commence with automated internet-wide scanning for externally accessible services that lack proper authentication or security measures. This approach allows the group to scale attacks rapidly across numerous organizations without relying on highly customized exploitation techniques.
The GitHub cyberattack aligns with TeamPCP’s broader strategy of targeting software development environments and cloud infrastructure, which can provide access to sensitive operational resources.
Countries and Industries Impacted by TeamPCP
Security researchers have noted TeamPCP’s activity across various countries, including the United Arab Emirates, Canada, South Korea, Serbia, the United States, and Vietnam. The group’s targeting pattern appears opportunistic rather than politically motivated, with a primary focus on exposed infrastructure.
Industries affected by TeamPCP operations include Banking, Financial Services, and Insurance (BFSI), consumer goods, and professional services organizations. These sectors often rely heavily on scalable cloud-based systems and internet-facing services, rendering them vulnerable to automated scanning campaigns, cloud misconfiguration exploitation, ransomware deployment, and cryptomining activities.
GitHub hosts code for over 100 million developers globally, making this cyberattack particularly significant within the software development and cybersecurity communities. The company has indicated plans to release a more detailed report once the investigation concludes.
For further details on this incident, visit the original reporting source: thecyberexpress.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
