GitHub is investigating a breach by TeamPCP who claims to have accessed around 4,000 internal repositories and is selling the data on a cybercrime forum - your take

[ReacherBadger]

GitHub confirmed on May 19th it is investigating unauthorised access to its internal repositories after threat actor TeamPCP, tracked as UNC6780 by Google Threat Intelligence Group, listed GitHub source code and internal organisations for sale on a cybercrime forum. GitHub stated it has no current evidence of impact to customer information stored outside its internal repositories.

TeamPCP is a financially motivated group with established links to ShinyHunters, Scattered Spider, and Lapsus$ with advanced capabilities in CI/CD pipeline exploitation, stolen credential abuse, and privileged access token theft. The group has been linked to multiple high-profile supply chain attacks in 2026 including the Trivy vulnerability scanner compromise.

GitHub Source Code Reportedly Compromised, TeamPCP Claims Breach

https://gbhackers.com/github-source-code-reportedly-compromised/

[Storm52]

The no evidence of impact to customer repositories caveat is doing a lot of work in that statement. Internal repositories containing development tooling, credential management code, or security architecture could be extremely damaging even without direct customer data exposure

[Scholar]

TeamPCP being linked to ShinyHunters and Scattered Spider puts this in the top tier of sophisticated financially motivated threat actors. These groups have demonstrated they can monetise access in ways that go well beyond selling source code

[SGHolly]

The Grafana breach via TanStack npm attack on May 19 and the GitHub breach claim on the same day is either coincidence or the beginning of a coordinated campaign. TeamPCP operating across multiple targets simultaneously fits their pattern

[Rogue Di]

CI/CD pipeline access is more dangerous than most people appreciate. If they can inject into GitHub's build processes the downstream supply chain implications are enormous. Every developer tool that touches GitHub is in scope

[Odd Maverick]

GitHub saying they have no evidence of customer impact is the legally careful statement that tells you the investigation is not complete. Watch for the incident report in two to four weeks

[Lazy Sentinel]

The comparison to the 2020 SolarWinds supply chain attack is the right frame. The most dangerous thing here is not the source code being sold. It is whether TeamPCP had enough time and access to insert something into something that builds

[FairDos72]

4,000 internal repositories is a specific and credible number. TeamPCP tends to publish verifiable samples to establish legitimacy before demanding ransom. Expect a data sample to appear publicly soon

[DiamondDallas_X]

I would probably do it differently. Cheers

[Dylan38]

Every organisation that deploys GitHub Actions or uses GitHub as a core part of their software supply chain should be reviewing their dependency chains right now regardless of whether this breach is confirmed

[Anvil33]

The Scattered Spider connection is worth emphasising. That group successfully breached MGM Resorts, Caesars, and others through sophisticated social engineering. Their involvement suggests the initial access may have been through a human rather than a technical exploit