A threat group called TeamPCP gained access to roughly 3,800 of GitHub’s internal code repositories after compromising an employee’s workstation through a poisoned Visual Studio Code extension. The stolen data reportedly includes source code tied to some of GitHub’s most widely used features: Actions, Copilot, and CodeQL.

The attackers are now trying to sell the exfiltrated code on underground forums, advertising a price tag of at least $50,000. If nobody bites, TeamPCP has threatened to leak the data publicly.

What happened and how it unfolded

The attack vector here is deceptively simple. TeamPCP planted a malicious extension inside VS Code, the text editor that has become the default development environment for a staggering share of the world’s programmers. When a GitHub employee installed or interacted with the compromised extension, it gave the attackers a foothold on their workstation.

From there, TeamPCP was able to access internal repositories. Not the public-facing platform where millions of developers store their own projects, but GitHub’s own codebase, the plumbing behind the product itself.

GitHub has classified this as a software supply-chain attack, a category of breach where attackers don’t kick down the front door. Instead, they poison something trusted further upstream. Think of it like contaminating ingredients at a food processing plant rather than breaking into a restaurant.

The company says there is currently no evidence that customer repositories were accessed or compromised. GitHub has taken steps to rotate and protect critical secrets, and has indicated it may notify customers directly if the risk profile changes.

The stolen repositories reportedly contain internal components related to GitHub Actions (the platform’s CI/CD automation tool), Copilot (its AI-powered coding assistant built on OpenAI models), and CodeQL (a semantic code analysis engine used for security scanning). These aren’t trivial features. They sit at the core of GitHub’s product strategy and, in the case of Copilot, represent one of Microsoft’s flagship AI monetization plays.

TeamPCP’s growing rap sheet

GitHub is far from TeamPCP’s first target. The group has carried out a string of software supply-chain attacks impacting hundreds of organizations, according to Wired. Their playbook centers on exploiting the tools that developers trust implicitly, particularly open-source security tools and developer environment extensions.

This approach is becoming increasingly common across the threat landscape. Supply-chain attacks have surged in recent years because they offer extraordinary leverage. Compromise one upstream dependency or tool, and you can potentially reach every organization that uses it. The SolarWinds breach in 2020 was the watershed moment that brought this attack class into the mainstream consciousness, but the technique has only grown more sophisticated since then.

What makes TeamPCP notable is their focus on developer infrastructure specifically. By targeting VS Code extensions, they’re exploiting a trust model that most developers don’t think twice about. The VS Code marketplace hosts tens of thousands of extensions, and while Microsoft has security review processes, the sheer volume makes comprehensive vetting extremely difficult.

The group’s decision to monetize the stolen code through underground sales rather than deploying it immediately for further attacks suggests a financially motivated operation, though that doesn’t rule out more strategic exploitation down the line. Source code for tools like CodeQL, which is designed to find vulnerabilities in other software, could be particularly valuable to attackers looking to discover zero-day exploits.

Why the crypto industry should pay attention

Here’s the thing. GitHub is not a crypto company. But it is, functionally, the backbone of almost every crypto project in existence.

The vast majority of blockchain protocols, DeFi applications, wallet software, and Web3 infrastructure are built, stored, and collaborated on through GitHub. Ethereum’s core clients, Solana’s validator software, countless smart contract libraries. They all live on the platform. When GitHub’s internal security is compromised, the blast radius extends well beyond Microsoft’s campus.

The immediate concern isn’t that customer repositories were accessed in this breach. GitHub says they weren’t. The deeper worry is about what attackers could learn from studying GitHub’s internal source code. Understanding how Actions workflows execute, how Copilot processes code suggestions, or how CodeQL identifies vulnerabilities gives threat actors a detailed map of the platform’s internals. That knowledge could be weaponized in future attacks that do target customer-facing infrastructure.

For crypto projects, the stakes are uniquely high. A compromised CI/CD pipeline (GitHub Actions is the most popular one in the ecosystem) could allow an attacker to inject malicious code into a protocol’s deployment process. We’ve already seen variations of this attack pattern in crypto. The Codecov breach in 2021 exposed environment variables and secrets from thousands of repositories through a corrupted build tool.

DeFi protocols holding billions in total value locked are only as secure as their weakest dependency. If an attacker understands the internal mechanics of GitHub Actions well enough to craft a targeted supply-chain attack against a specific project’s deployment workflow, the potential for fund theft is significant.

There’s also the Copilot angle. AI coding assistants are increasingly being used to write and audit smart contract code. If attackers understand exactly how Copilot processes suggestions and what training data or internal logic it relies on, there may be ways to influence or predict its outputs in ways that introduce subtle vulnerabilities.

Crypto security teams should be treating this breach as a signal to audit their own GitHub configurations. That means reviewing which Actions workflows have access to deployment keys, ensuring that repository secrets are properly scoped, enabling required reviews for all production-bound code changes, and monitoring for any unauthorized modifications to CI/CD pipelines.

The $50,000 asking price for the stolen code might sound modest relative to the potential damage, and that’s exactly what makes this dangerous. At that price point, a wide range of threat actors, including those specifically targeting DeFi protocols, could afford access to GitHub’s internal blueprints.