🚨 BREAKING: GitHub has confirmed a breach of its internal repositories.

The attacker compromised an employee device through a poisoned Visual Studio Code extension. From that single endpoint, they pivoted into internal GitHub repos, dumped secrets, and walked out with what they claim is around 4,000 private repositories of source code and internal organization data.
The threat actor, TeamPCP, listed everything for sale on the Breached forum yesterday with a floor of 50,000 dollars. Their stated terms are blunt. One buyer, no negotiation, and if no one pays the entire dataset gets leaked for free.
GitHub says it removed the malicious extension version, isolated the device, rotated critical secrets, and activated incident response.
The company maintains there is currently no evidence of impact to customer repositories, enterprises, or organizations stored outside its own internal infrastructure.
The attack vector is the part worth sitting with.
This was not a flaw in GitHub the platform. It was a poisoned extension in the VS Code marketplace, executed on a developer laptop, used to reach everything that laptop could reach.
The same week, two popular GitHub Actions workflows (actions-cool/issues-helper and actions-cool/maintain-one-comment) were compromised through tag manipulation to exfiltrate CI/CD credentials, and a critical RCE vulnerability in GitHub itself, CVE-2026-3854, was patched after researchers showed it could be triggered with a single git push.
Three separate incidents, one consistent message. The platform is hardened. The supply chain around it is the soft target.
For anyone building on GitHub right now, the immediate checklist is simple.
Audit installed VS Code extensions. Pin GitHub Actions to commit SHAs rather than tags. Rotate any tokens, deploy keys, or secrets that could have touched a compromised environment in the last two weeks.