{"id":251099,"date":"2026-05-20T05:28:00","date_gmt":"2026-05-20T09:28:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/20\/github-confirms-hack-impacting-3800-internal-repositories\/"},"modified":"2026-05-21T04:50:10","modified_gmt":"2026-05-21T08:50:10","slug":"github-confirms-hack-impacting-3800-internal-repositories","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/20\/github-confirms-hack-impacting-3800-internal-repositories\/","title":{"rendered":"GitHub Confirms Hack Impacting 3,800 Internal Repositories"},"content":{"rendered":"<p><a href=\"https:\/\/www.securityweek.com\/github-confirms-hack-impacting-3800-internal-repositories\/\">GitHub Confirms Hack Impacting 3,800 Internal Repositories<\/a><\/p>\n<p><a href=\"https:\/\/www.securityweek.com\/github-confirms-hack-impacting-3800-internal-repositories\/\">https:\/\/www.securityweek.com\/github-confirms-hack-impacting-3800-internal-repositories\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-20 05:28:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.securityweek.com\">www.securityweek.com<\/a><\/p>\n<p class=\"wp-block-paragraph\"><strong>Microsoft-owned code-hosting platform GitHub on Wednesday morning confirmed that approximately 3,800 internal repositories were impacted in a supply chain attack.<\/strong><\/p>\n<p class=\"wp-block-paragraph\">On Tuesday, the infamous hacking group TeamPCP, known for a series of recent supply chain attacks targeting the open source software community, claimed the hack of 4,000 GitHub internal repositories.<\/p>\n<p class=\"wp-block-paragraph\">Boasting about the incident on an underground hacking forum, the threat actor claimed the theft of source code and internal orgs, offering the allegedly stolen information to any buyer willing to pay at least $50,000 for it.<\/p>\n<p class=\"wp-block-paragraph\">GitHub launched an investigation into the matter shortly after and roughly five hours later confirmed the attackers\u2019 claims.<\/p>\n<p class=\"wp-block-paragraph\">\u201cOur current assessment is that the activity involved exfiltration of GitHub-internal repositories only. The attacker\u2019s current claims of ~3,800 repositories are directionally consistent with our investigation so far,\u201d GitHub said.<\/p>\n<p class=\"wp-block-paragraph\">The code-sharing platform immediately rotated critical secrets, prioritizing highest-impact credentials first.<\/p>\n<p><span class=\"zox-ad-label\">Advertisement. Scroll to continue reading.<\/span><\/p>\n<p class=\"wp-block-paragraph\">\u201cWe continue to analyze logs, validate secret rotation, and monitor for any follow-on activity. We will take additional action as the investigation warrants,\u201d GitHub said, promising a full incident report at a later date.<\/p>\n<p class=\"wp-block-paragraph\">The intrusion, the platform said, was the result of an employee installing a poisoned VS Code extension.<\/p>\n<p class=\"wp-block-paragraph\">GitHub did not name the extension and did not share details on the type of data the compromised employee device contained.<\/p>\n<p class=\"wp-block-paragraph\">According to Aikido Security researcher Charlie Eriksen, VS Code extensions have full access to all data on a developer\u2019s machine, including credentials, SSH keys, cloud keys, and all other secrets.<\/p>\n<p class=\"wp-block-paragraph\">\u201cDeveloper workstations are the number one target in supply chain attacks right now, and this is exactly why. TeamPCP has compromised Trivy, Checkmarx, Bitwarden CLI, TanStack, and now GitHub, all in&#8230;<\/p>\n<p><a href=\"https:\/\/www.securityweek.com\/github-confirms-hack-impacting-3800-internal-repositories\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>GitHub Confirms Hack Impacting 3,800 Internal Repositories https:\/\/www.securityweek.com\/github-confirms-hack-impacting-3800-internal-repositories\/ Publish Date: 2026-05-20 05:28:00 Source Domain: www.securityweek.com&#8230;<\/p>\n","protected":false},"author":1,"featured_media":251100,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.securityweek.com\/wp-content\/uploads\/2024\/03\/GitHub.jpeg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[34],"class_list":["post-251099","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/251099"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=251099"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/251099\/revisions"}],"predecessor-version":[{"id":251101,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/251099\/revisions\/251101"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/251100"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=251099"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=251099"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=251099"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}