Stolen GitHub Data up for Sale After Security Breach; How Safe Are Repositories?

Now that the security breach of GitHub by the “TeamPCP” hacking group has been confirmed, Microsoft is facing even more hard questions about the platform’s overall security and stability. At present the known damage of the breach is the loss of at least 3,800 internal repositories, now being offered up for auction through an underground channel; investigations continue, but for the moment the company says that customer data is not impacted.

Compromise of internal repositories continues losing streak for GitHub

GitHub users can feel some relief, at least for now. But they are almost certainly not happy. Not only because the security breach almost certainly contained damaging internal information about the platform, but that it continues a streak of major mishaps that have some wondering if they will have to go looking for a new host.

Just prior to the security breach, GitHub was mostly making news for reports that it has spent 85% of the last three months inaccessible (with an average downtime of two to three hours per day). This is also not the only security issue reported recently, with the research team at Wiz uncovering a relatively simple but potent attack involving the “git push” command in late April.

With their first reports of the security breach on May 19, Microsoft only said that a “VS Code extension” used by a developer was responsible and would not get into specifics. As Nx Console had just been breached the day before, speculation quickly turned in that direction and has since been confirmed. Nx Console was breached on May 18 for a very short period, but long enough to compromise a number of victims via auto-updates.

Security breach ends in extortion, full scope of stolen data still unknown

The hacking group that stole the information first demanded $50,000 for it via a thread on BreachForums, stating that it would take no less than this amount and would rather leak the repositories for free if it cannot find a willing buyer. However, it has since seemingly partnered with Lapsus$ and moved the auction to their breach portal. They are also now asking $95,000.

TeamPCP is a relatively new group, but has already established itself as a serious threat with numerous prior breaches dating back to at least late 2025. It has also spent most of 2026 targeting open source projects as an entry point for downstream breaches. It has thus far compromised the European Commission, Aqua Security’s Trivy vulnerability scanner, and the Bitwarden CLI release pipeline among other targets.

Attacks on open source and service providers with attractive downstream clients are nothing new and to be expected; the real question is whether GitHub remains safe and secure. Late last month GitHub formally addressed the uptime and reliability issue via a blog post, but most of the technical details of planned improvements await a promised future blog post. It remains to be seen how much of an impact the security breach will have, largely determined by the actual contents of the repositories and what ends up happening to them.