TeamPCP hackers breach thousands of GitHub repositories in major supply chain attack

The hacker group TeamPCP carried out a large-scale software supply chain attack, compromising thousands of code repositories and extorting victims, officials said today ^{[1, 2]}.

On the night of May 12, 2026, GitHub confirmed an internal developer installed a poisoned Visual Studio Code extension that enabled the breach ^{[1, 2]}. TeamPCP claims to have accessed about 4,000 of GitHub's code repositories, while GitHub confirmed at least 3,800 repositories containing only its own code were compromised—not customer data ^{[1, 2]}.

TeamPCP posted on BreachForums, offering GitHub’s source code and internal organizational information for sale, writing, "We are here today to advertise GitHub’s source code and internal orgs for sale. Everything for the main platform is there and I very am happy to send samples to interested buyers to verify absolute authenticity" ^[1].

Cybersecurity firm Socket reported that TeamPCP has orchestrated 20 waves of supply chain attacks targeting more than 500 distinct pieces of software and over 1,000 total software versions hijacked ^{[1, 2]}. The tainted code deployed in these attacks breached hundreds of companies that had installed the malicious software ^[2].

Notable victims include GitHub itself, AI firm Anthropic, and data contracting company Mercor ^[2]. Ben Read of cloud security firm Wiz commented, "It may be their biggest one. But each one of these is a big deal for the company that it h" ^[2].

GitHub continues to work on containing the breach and investigating the full impact. The company has warned users to update security and monitor for unusual activity following the supply chain compromise ^{[1, 2]}.