TeamPCP claims ~4,000 GitHub internal repos stolen and for sale on Breached forum, GitHub confirms investigation
GitHub said it is investigating after the cybercrime group TeamPCP listed 'GitHub's source code and internal orgs' for sale on the Breached forum, claiming access to about 4,000 internal repositories and asking at least $50,000. GitHub told BleepingComputer it has 'no evidence of impact to customer information stored outside of GitHub's internal repositories' and that customers will be alerted if that changes. TeamPCP is the same group behind the TanStack supply-chain attack that hit OpenAI and Grafana, the Aqua Trivy compromise, the LiteLLM infection, and the Mistral AI source-code theft. GitHub hosts code for 4 million organizations and 180 million developers.
- Check
- Audit GitHub Actions workflows for refs pulled via pull_request_target from forks. Inventory developer machines that synced internal-org repos in the last 30 days for unusual outbound git pushes.
- Affected
- GitHub.com users specifically: TeamPCP's claim is limited to GitHub's own internal repos so far. Downstream impact is possible if private code referencing customer secrets is leaked.
- Fix
- Wait for GitHub's official notification. Rotate any tokens or PATs that lived in repositories you suspect could be referenced by GitHub internal code, and assume secret-scanning rules might be reverse-engineered.