GitHub investigates internal repositories breach claimed by TeamPCP
Source: Bleeping Computer
Breach Investigation
GitHub is investigating a breach of its internal repositories after the TeamPCP hacker group claimed to have accessed approximately 4,000 repositories containing private code.
GitHub’s cloud‑based development platform is used by more than 4 million organizations (including 90 % of the Fortune 100) and over 180 million developers who contribute to more than 420 million code repositories.
The company has not shared many details about the investigation, but it said it currently has no evidence that customer data stored outside its internal repositories has been affected.
“We are investigating unauthorized access to GitHub’s internal repositories,” GitHub told BleepingComputer when asked for further details.
“While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow‑on activity.”
GitHub also said that all affected customers will be alerted through established notification and incident‑response channels if any evidence of impact is discovered.
TeamPCP Demands
TeamPCP claimed access to “GitHub’s source code and internal orgs” on the Breached hacking forum on Tuesday, asking for at least $50,000.
“No low ball offers will be accepted, everything for the main platform is there and I very am happy to send samples to interested buyers to verify the absolute authenticity. There is a total of around ~4,000 repos of private code here.”
“As always this is not a ransom, we do not care about extorting GitHub, 1 buyer and we shred the data on our end, it looks like our retirement is soon so if no buyer is found we will leak it free. If you are interested, send your offers to the communications below, we are not interested in under 50k, the best offer will get it.”
Prior Activity of TeamPCP
TeamPCP has previously been linked to supply‑chain attacks targeting multiple developer platforms:
- GitHub – BleepingComputer article
- PyPI – Backdoored Telnyx PyPI package pushes malware hidden in WAV audio
- NPM – TeamPCP deploys Iran‑targeted wiper in Kubernetes attacks
- Docker – Trivy supply‑chain attack spreads to Docker GitHub repos
In March, the group compromised Aqua Security’s Trivy vulnerability scanner, leading to cascading compromises affecting:
- Aqua Security Docker images – BleepingComputer article
- Checkmarx KICS project – Sysdig blog
The Trivy breach also affected the LiteLLM open‑source Python library, infecting tens of thousands of devices with the “TeamPCP Cloud Stealer” information‑stealing malware – BleepingComputer coverage.
More recently, the gang was linked to the “Mini Shai‑Hulud” supply‑chain campaign (impacting two OpenAI employees) – BleepingComputer article – and threatened to leak Mistral AI source code stolen via compromised CI/CD credentials – BleepingComputer article.