On May 19, 2026, a threat actor going by the handle TeamPCP posted a sale listing on the Breached cybercrime forum offering roughly 4,000 private GitHub repositories including the company’s core Rails application for a starting price of $50,000. By the time researchers caught the listing, bids had already climbed to $95,000.
GitHub confirmed it.
That’s the part that matters most. This isn’t an unverified forum claim from a low-reputation actor trying to flip fabricated data. GitHub publicly acknowledged that an employee endpoint was compromised, that internal repositories were exfiltrated, and that the volume described by the attacker around 3,800 repositories is broadly consistent with their own internal investigation. The most-critical credentials have already been rotated, and the incident response is ongoing.
A poisoned Visual Studio Code extension installed on a single employee’s machine. That’s the initial access vector, confirmed by GitHub itself. The extension was pulled and the endpoint isolated once the breach was detected, but by then the damage was done 55 GB of compressed source code had already left the building.
This is worth sitting with for a moment. GitHub, one of the most security-conscious engineering organizations on the planet, lost control of its internal codebase because someone installed a malicious IDE plugin. Not a zero-day. Not a nation-state implant. A VS Code extension.
The repository inventory distributed by the actor lists 3,877 compressed archives alongside 25 unarchived directories. The largest single file is ecosystem-apps.tar.gz at 1.74 GB, but the one that draws the most attention is main-platform.tar.gz at 787 MB GitHub’s primary Rails monolith, the beating heart of the platform.
Beyond the monolith, the dataset includes the Git RPC daemon, the replication subsystem, a production MySQL orchestrator, roughly 80 Actions-related repositories, dozens of Copilot repositories, and perhaps most concerning from a security standpoint the secrets-federation and secrets-whisperer repositories, which appear to be GitHub’s internal secret-scanning and secret-management subsystems. Exposing the detection logic for a secret-scanning product is a category of damage that’s hard to overstate: anyone who buys this data now knows exactly what GitHub’s scanners are looking for and how to evade them.
There’s also a 514 MB GRC/compliance repository, multiple versions of enterprise internal documentation, and an advisory database that may contain embargoed vulnerability disclosures that haven’t been made public yet.
The actor released two Ruby source files as proof of possession organizations_controller.rb and pull_requests_controller.rb, both from the main Rails monolith. Researchers at ThreatMon analyzed the files and found internal consistency across multiple dimensions: type-safe Ruby annotations matching a framework GitHub is known to use internally, references to a sharded MySQL cluster architecture consistent with public GitHub engineering blog posts, internal event bus calls, Dogstats instrumentation, and billing constants that match GitHub’s published commercial plan structure. One file also contained an analytics dependency class that post-dates GitHub’s 2018 acquisition of a third-party analytics company.
None of this is trivially fabricable. Combined with GitHub’s own confirmation, the sample files appear to be exactly what they claim to be.
The actor holds a Co-Owner role on the Breached forum a forum administration position rather than a typical initial access broker or ransomware affiliate. The listing is framed explicitly as a non-ransom, single-buyer brokered sale: one buyer purchases the full dataset, the data is destroyed, and that’s the end of it. The fallback, stated plainly in the listing, is that if no buyer materializes, the data gets leaked publicly for free.
The actor communicates through Session and Tox, both privacy-preserving peer-to-peer messengers. Contact identifiers have been redacted in published threat intelligence briefings.
What makes TeamPCP worth watching beyond this incident is the broader pattern. Public reporting has connected this actor cluster to a separate campaign distributing malicious Python packages a parallel track targeting developer-tool ecosystems through a different supply-chain angle. A poisoned VS Code extension and a poisoned Python package are two expressions of the same underlying strategy: compromise developers at the tooling layer, before they ever touch production.
The listing is still active. The actor has set the sale as auction-style, with a live best offer that was sitting at $95,000 at time of writing. GitHub’s remediation work continues most critical secrets have been rotated, but secondary credential classes like service account tokens, OAuth client secrets, code-signing certificates, and webhook secrets likely need the same treatment across coming sprints.
The broader industry implication is the one that should keep security teams up at night. Developer endpoints have historically been treated as a softer target than production infrastructure. Engineers need broad access to do their jobs, they install a lot of third-party tooling, and extension marketplaces are not subject to the same scrutiny as, say, a production deployment pipeline. This breach demonstrates in concrete terms what that asymmetry costs when an attacker decides to exploit it.
Every organization whose engineers use VS Code extensions, IDE plugins, or open-source developer tooling from public marketplaces is looking at a version of the same attack surface that GitHub just lost control of. The extension that compromised a GitHub employee could have targeted anyone. That’s the real headline here not the asking price, not the volume, not even the Rails monolith. It’s the vector.
More posts
Share this article
Found it interesting? Don’t hesitate to share it to wow your friends or colleagues
Subscribe to our blog newsletter to follow the latest posts
