GitHub announced on Tuesday that it is looking into unauthorized access to its internal code repositories. This follows claims by a well-known hacking group, TeamPCP, that they are selling GitHub’s source code and internal organizational data on a cybercrime forum.
“At this time, we have found no evidence that customer data stored outside of GitHub’s internal systems—such as data belonging to our enterprise clients, organizations, or their repositories—has been affected. However, we are actively monitoring our systems for any further suspicious activity,” stated the Microsoft-owned company.
GitHub also mentioned that it will inform customers through its standard incident response and notification procedures if any impact is confirmed.
This situation arose after TeamPCP, a group previously linked to a series of software supply chain attacks on open-source packages, listed GitHub’s source code for sale with a minimum asking price of $50,000. The purported data leak reportedly contains around 4,000 repositories.
“Just to be clear, this is not a ransom demand,” the group stated in a post, as per screenshots shared by Dark Web Informer. “We are not interested in extorting GitHub. We have one buyer in mind, and once the sale is complete, we will destroy the data on our end. It seems like we’ll be retiring soon, so if we don’t find a buyer, we’ll just release it for free.”
In a subsequent update posted on X, GitHub revealed that it had identified and contained a security breach involving an employee’s device, which was compromised through a malicious Microsoft Visual Studio Code extension. As a precautionary measure, the company has changed critical security keys, focusing on the most sensitive ones first.
“Our current evaluation suggests that the unauthorized activity was limited to the theft of GitHub’s internal repositories only,” GitHub explained. “The attacker’s claim of approximately 3,800 repositories aligns with the findings of our ongoing investigation.”
GitHub did not specify which VS Code extension was involved. However, it is worth noting that Nx Console recently experienced a security breach that enabled attackers to distribute a multi-stage credential stealer and a tool for poisoning software supply chains. The Nx team has since confirmed that “a very small number of users were affected.”
After the incident, an X account associated with TeamPCP, xploitrsturtle2, commented: “GitHub was aware of this for hours but delayed informing you, and they won’t be truthful in the future. It’s been an incredible journey, and it’s been a pleasure interacting with the security community over the past few months.”
TeamPCP Compromises durabletask PyPI Package
The news of the sale coincides with the ongoing expansion of TeamPCP’s self-replicating malware campaign, known as Mini Shai-Hulud. The latest target is the durabletask package, an official Microsoft Python client for the Durable Task workflow execution framework. Three malicious versions of the package have been identified: 1.4.1, 1.4.2, and 1.4.3.
“The attacker gained access to a GitHub account through a previous attack, extracted GitHub secrets from a repository the user could access, and then used those secrets to obtain the PyPi token needed to publish packages directly,” explained Google-owned Wiz.
The malicious code embedded in the package acts as a dropper, designed to download and execute a second-stage payload (“rope.pyz”) from an external server (“check.git-service[.]com”). Security experts believe this malware is an advanced version of the payload used in last week’s compromise of the guardrails-ai package.
Specifically, the malware is engineered to activate a comprehensive information stealer capable of collecting credentials from major cloud providers, password managers, and developer tools, and sending the stolen data to a domain controlled by the attackers. It is important to note that this stealer is designed to run only on Linux systems.
According to SafeDep, the 28KB Python-based stealer also tries to access HashiCorp Vault KV secrets, unlock and extract data from 1Password and Bitwarden password vaults, and retrieve SSH keys, Docker credentials, VPN configurations, and shell command history.
“If the infected machine is running within AWS, the malware spreads to other EC2 instances using SSM. If it’s within a Kubernetes environment, it spreads through kubectl exec,” noted Aikido Security. “Additionally, if it detects system settings associated with Israel or Iran, there is a 1-in-6 chance it will play an audio file and then execute rm -rf /*.”
“After identifying SSM-managed instances, the malware uses the SendCommand feature with the AWS-RunShellScript document to run the rope.pyz payload on up to five other EC2 instances per profile,” according to StepSecurity. “The propagation script downloads the payload from the primary command-and-control server, with a fallback to the secondary domain t.m-kosche[.]com, and executes it in the background.”
Another notable aspect is the use of the FIRESCALE mechanism to locate a backup command-and-control (C2) address if the primary domain becomes unreachable. This is achieved by scanning GitHub’s public commit messages for the pattern “FIRESCALE
Since the worm spreads using tokens stolen from compromised environments, the number of affected packages is anticipated to increase. Any system or pipeline that installed a malicious version of the package should be considered fully compromised.
“The package is downloaded approximately 417,000 times per month, and the malicious code executes automatically as soon as the package is imported, without any error messages or visible signs of compromise,” warned Endor Labs researcher Peyton Kennedy.
Update
The LAPSUS$ cybercrime group has partnered with TeamPCP for a joint sale of GitHub repositories priced at $95,000. “Everything related to the main platform is included,” stated an accompanying message, according to screenshots from Dark Web Informer. “This is not a ransom; we have no interest in extorting GitHub. If we don’t find a buyer, we will release the data for free.”
Security researcher Rakesh Krishnan reports that the leaked repositories are associated with GitHub Actions, agentic workflows, internal Copilot projects, CodeQL tools, internal infrastructure, security tools, marketing, and GitHub-related programs such as Codespaces and Dependabot. Also included are a Rails controller and a Pull Requests Controller, which are responsible for managing organizations and all pull requests.
