GitHub confirmed security incident affecting internal repositories after employee installed poisoned Nx Console Visual Studio Code extension. The breach (detected May 19) resulted in exfiltration of approximately 3,800 internal repositories. GitHub stated current assessment shows activity involved exfiltration of GitHub-internal repositories only with no evidence customer information stored outside internal repositories was impacted.
We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely…
— GitHub (@github) May 19, 2026
TeamPCP hacking group claimed responsibility for breach posting on Breached cybercrime forum alleging access to GitHub source code and approximately 4,000 repositories of private code. The group demands at least $50,000 for stolen data threatening to leak repositories if buyer doesn’t materialize. TeamPCP stated this is not ransom according to screenshots shared by Dark Web Informer.
The trojanized version of VS Code extension lived on Visual Studio Marketplace only 18 minutes between 12:30 PM and 12:48 PM UTC on May 18, 2026. OX Security researcher Nir Zadok stated extension looked and behaved like normal Nx Console but on startup silently ran shell command downloading and executing hidden package from planted commit on official nrwl/nx GitHub repository.
🚨 GitHub source code allegedly offered for sale: Internal orgs and private repositories claimed
A threat actor using the alias TeamPCP claims to be selling GitHub source code and internal organization data.
The actor claims the dataset includes around 4,000 private… pic.twitter.com/kIJ6ffGGnc
— Dark Web Informer (@DarkWebInformer) May 19, 2026
The credential stealer harvested sensitive data from 1Password vaults, Anthropic Claude Code configurations, npm, GitHub, and Amazon Web Services. GitHub removed malicious extension version, isolated endpoint, and began incident response immediately. Company rotated critical secrets Monday and Tuesday prioritizing highest-impact credentials first.
Nx team revealed extension nrwl.angular-console was breached after team member account compromise. TeamPCP characterized by gaining access indirectly through backdooring open-source security and development tools targets already trust and run.
Following the incident, an X account linked to TeamPCP, xploitrsturtle2, stated:
“GitHub knew for hours, they delayed telling you and they won’t be honest in the future. What an amazing run, it’s been an honor to play around with the cats over the past few months.”
GitHub continues analyzing logs, validating secret rotation, and monitoring for follow-on activity promising fuller incident report once investigation completes.
