GitHub confirmed on Wednesday that it is investigating unauthorized access to its internal repositories following the compromise of an employee device. The developer platform said it detected the breach on Tuesday, identifying a poisoned VS Code extension as the vector through which the employee's device was compromised. GitHub said it removed the malicious extension version, isolated the affected endpoint, and began incident response immediately. The company stated it currently has no evidence of impact to customer information stored outside its internal repositories but said it is closely monitoring its infrastructure for any follow-on activity as the investigation continues.

A hacking group called TeamPCP has reportedly claimed responsibility for the compromise and has attempted to sell the stolen data on underground forums, claiming to possess approximately 4,000 private code repositories related to GitHub's main platform and internal organizations. SecurityWeek describes TeamPCP as a sophisticated, automation-heavy group that specializes in turning compromised developer tools into credential-harvesting machines for financial gain, a profile consistent with the VS Code extension attack vector used in this incident. Binance founder Changpeng Zhao responded to the news by advising developers to immediately review and rotate any API keys stored in their code, including in private repositories, noting the window of potential exposure created by the breach. GitHub has not confirmed or denied the scope of data TeamPCP claims to have obtained.