The Breach and Initial Claims
A threat actor known as TeamPCP has alleged they infiltrated GitHub’s internal infrastructure, stealing proprietary company data and source code. The group is reportedly offering the stolen dataset for sale on underground forums, demanding more than $50,000. According to the actor’s forum posts, the haul includes approximately 4,000 private repositories intrinsic to GitHub’s main platform operations. To back up their claims, they have released a public file list and screenshots showing repository archive names, and they are offering data samples to serious buyers for verification.
GitHub’s Response and Ongoing Investigation
Following the public claims, GitHub confirmed they are actively investigating the unauthorized access to their internal repositories. In an official statement, the company reassured users that there is currently no evidence that customer data stored outside of those internal systems (such as enterprise accounts, organizations, and user repositories) was compromised. GitHub stated they are monitoring their infrastructure closely for any follow up activity. The company’s primary concern remains the containment of the breach and the protection of customer data.
The Threat Actor: TeamPCP and Its History
TeamPCP, tracked by Google Threat Intelligence as UNC6780, is a financially motivated group with a history of severe supply chain attacks. Earlier in 2026, they compromised several major security and development tools, including the Trivy vulnerability scanner, Checkmarx, and LiteLLM, often targeting CI/CD pipelines for credential harvesting. They have also previously leaked the source code for their own Shai-Hulud malware on GitHub using compromised accounts. This latest incident underscores the group’s persistent focus on undermining development ecosystems.
Source: Cyber Security News
