GitHub confirmed that attackers associated with TeamPCP gained unauthorized access to thousands of the company’s internal code repositories after compromising an employee’s device through a malicious VS Code extension. Despite the scale of the GitHub cyberattack, the Microsoft-owned platform said there is currently no evidence that customer repositories or enterprise data were affected.
The cyberattack on GitHub marks the latest operation linked to TeamPCP, a cybercriminal group that has rapidly expanded its activity through coordinated attacks on developer-focused platforms and cloud infrastructure.
Decoding the GitHub Cyberattack
GitHub publicly acknowledged the incident on Wednesday after TeamPCP allegedly advertised stolen source code on a cybercrime forum. According to the company, the attackers attempted to extort the platform by offering the stolen code for sale at $50,000 and threatening to leak it publicly if no buyer emerged.
In a statement shared on X, formerly Twitter, GitHub said:
“We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity.”
The company further stated:
“If any impact is discovered, we will notify customers via established incident response and notification channels.”
GitHub said the breach originated after an employee’s system was infected through a poisoned VS Code extension. The company described the incident as “detected and contained,” emphasizing that the compromise was restricted to internal repositories and did not extend to customer-owned data.
As part of its response to the GitHub cyberattack, the company rotated critical credentials on the same day the breach was discovered, prioritizing the most sensitive secrets first. GitHub also acknowledged that TeamPCP’s claim of stealing around 3,800 repositories was “directionally consistent” with the company’s own internal assessment regarding the scope of the intrusion.
The platform hosts code for more than 100 million developers globally, making the cyberattack on GitHub particularly significant within the software development and cybersecurity communities. GitHub said it plans to release a more detailed report once the investigation is complete.
TeamPCP’s Growing Role in Cloud-Focused Cybercrime
Cybersecurity researchers at Cyble have identified TeamPCP as a cloud-focused cybercriminal operation that emerged as a large-scale exploitation platform in late 2025. The group is also tracked under several aliases, including DeadCatx3, PCPcat, PersyPCP, and ShellForce.
Unlike threat actors that depend heavily on zero-day vulnerabilities, TeamPCP has reportedly built its operations around automation and the exploitation of known weaknesses and cloud misconfigurations. Researchers say the group combines these methods into a scalable and largely self-propagating attack framework.
Beginning in late 2025, TeamPCP launched extensive scanning campaigns targeting exposed Docker APIs, Kubernetes control planes, Ray dashboards, and Redis services. Once access is achieved, compromised systems are integrated into a distributed infrastructure used for proxying internet traffic, performing additional scans, hosting command-and-control infrastructure, deploying ransomware, and conducting unauthorized cryptomining operations.
Operational Structure Behind the Cyberattack on GitHub
The operational model used by TeamPCP differs from many conventional cybercriminal campaigns because it prioritizes cloud-native environments over traditional end-user devices. Instead of relying primarily on phishing campaigns against individual users, the group focuses on exposed administrative services and container orchestration platforms.
Researchers observed that TeamPCP attack chains commonly begin with automated internet-wide scanning for externally accessible services that either lack authentication or are improperly secured. This allows the group to scale attacks rapidly across large numbers of organizations without relying on highly customized exploitation techniques.
The GitHub cyberattack appears consistent with the group’s broader strategy of targeting software development environments and cloud infrastructure that can provide access to sensitive operational resources.
Countries and Industries Impacted by TeamPCP
Security researchers said TeamPCP activity has been observed across multiple countries, including the United Arab Emirates, Canada, South Korea, Serbia, the United States, and Vietnam. Researchers noted that the group’s targeting pattern appears opportunistic rather than politically motivated, with attacks primarily focused on exposed infrastructure.
Industries affected by TeamPCP operations include Banking, Financial Services, and Insurance (BFSI), consumer goods, and professional services organizations. These sectors often depend heavily on scalable cloud-based systems and internet-facing services, making them vulnerable to automated scanning campaigns, cloud misconfiguration abuse, ransomware deployment, and cryptomining activities.
