GitHub is investigating a breach of its internal repositories after the TeamPCP hacker group claimed to have accessed approximately 4,000 repositories containing private code.
GitHub’s cloud-based development platform is used by more than 4 million organizations (including 90% of the Fortune 100) and over 180 million developers who contribute to more than 420 million code repositories.
The company has yet to share more information about the investigation, but said it currently has no evidence that customer data stored outside its internal repositories has been affected.
“We are investigating unauthorized access to GitHub’s internal repositories,” GitHub told BleepingComputer when asked for further details.
“While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity.”
GitHub also said that all affected customers will be alerted through established notification and incident response channels if any evidence of impact is discovered.
TeamPCP claimed access to “Github’s source code and internal orgs” on the Breached hacking forum on Tuesday, asking for at least $50,000.
“No low ball offers will be accepted, everything for the main platform is there and I very am happy to send samples to interested buyers to verify the absolute authenticity. There is a total of around ~4,000 repos of private code here,” they said.
“As always this is not a ransom, We do not care about extorting Github, 1 buyer and we shred the data on our end, it looks like our retirement is soon so if no buyer is found we will leak it free. If you are interested. Send your offers to the communications below, we are not interested in under 50k, the best offer will get it.”
TeamPCP has previously been linked to supply chain attacks targeting multiple developer code platforms, including GitHub, PyPI, NPM, and Docker.
In March, the hacker group also compromised Aqua Security’s Trivy vulnerability scanner, which is believed to have led to cascading compromises affecting Aqua Security Docker images and the Checkmarx KICS project.
The Trivy breach also affected the LiteLLM open-source Python library in an attack that infected tens of thousands of devices with its “TeamPCP Cloud Stealer” information-stealing malware.
More recently, the cybercrime gang was also linked to the “Mini Shai-Hulud” supply-chain campaign (which impacted the devices of two OpenAI employees) and threatened to leak the Mistral AI source code stolen using compromised CI/CD credentials.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.