This article is about ‘Ransomware 2026 Report April ‘.
On 19 May 2026, a threat actor operating under the handle TeamPCP, listed as [Co-Owner] on the Breached cybercrime forum, published a sale advertisement offering approximately 4,000 private source code repositories belonging to a major developer platform, including the target’s main Rails monolith (~787 MB). The actor distributed a full repository inventory and two sample Ruby source files as proof-of-possession, alongside terminal screenshots from a staging host.
The asking floor was set at USD 50,000, with a live best offer of USD 95,000. The actor frames the operation as a brokered single-buyer sale rather than a ransom, with a stated fallback of publicly leaking the data at no cost if no buyer is secured. The victim organization publicly confirmed the incident, attributing the intrusion to a compromised Microsoft Visual Studio Code extension installed on an employee device.
The victim stated that the adversary’s claim of ~3,800 accessed repositories is broadly aligned with its own investigation, and that current evidence points to exfiltration of internal repositories only with no indication of customer-data impact at time of writing.
We see the full picture of the evolving cyber threat landscape thanks to unique tools for monitoring the infrastructure used by cybercriminals and data from battlefields:
