GitHub internal repositories breached.

Update May 22, 2026 1420 UTC:

Added additional protection information.
Updated hash value for IOC relating to index.js (the previous hash, a68dd1e6a6e35ec3771e1f94fe796f55dfe65a2b94560516ff4ac189390dfa1c, is believed to relate to a similar but different TeamPCP compromise).

Update May 21, 2026 1645 UTC:

Reporting indicates that the poisoned VS Code extension involved in this incident was Nx Console (nrwl.angular-console, version 18.95.0). The compromised version of this extension was published on May 18, 2026, and a security advisory is available here.

Sophos Managed Detection and Response (MDR) teams have identified several affected customers through threat hunting.

We’ve also recovered malware from an affected endpoint – a Python backdoor named cat.py (fb5c97557230a27460fdab01fafcfabeaa49590bafd5b6ef30501aa9e0a51142), at the file path /Users/%/.local/share/kitty/cat.py. Initial analysis suggests that this is the same malware observed in the recent @antv supply chain compromise, also attributed to TeamPCP.

This is a remote backdoor that downloads and executes arbitrary Python code from attacker-controlled URLs. It uses the GitHub Search API as a covert communication channel, by polling api.github[.]com/search/commits every hour for the keyword ‘firedalazer,’ and employs public GitHub commits to hide commands in plain sight.

It extracts commands from commit messages, verifies them using a built-in RSA public key, and downloads and executes attacker-provided Python payloads.

On May 19-20, 2026, GitHub confirmed a security incident affecting its own internal systems. A threat actor self-identifying as TeamPCP, also tracked as UNC6780, compromised an employee’s developer device by way of a malicious Visual Studio Code extension and used that foothold to clone roughly 3,800 of GitHub’s internal repositories. The actor has reportedly listed the data for sale on a criminal forum at upwards of $50,000 USD.

GitHub assesses that customer repositories, enterprise accounts, and user data are not affected. The compromise is, on current evidence, confined to GitHub’s own corporate estate. GitHub claims that it has rotated credentials, isolated affected endpoints, and is continuing to investigate.

Sophos has searched its internal estate and has found no evidence of compromise.

What happened

Based on GitHub’s public statements and reporting from The Hacker News, Cybersecurity News, and others, the incident proceeded as follows:

• Initial access. TeamPCP delivered a poisoned Visual Studio Code extension to a GitHub employee’s development device. The extension harvested developer secrets and access tokens from the IDE’s local environment.
• Repository theft. Using stolen credentials, the attacker cloned approximately 3,800 GitHub-internal private repositories containing proprietary source code, deployment scripts, and internal configuration material. Media reporting initially cited a ~4,000 figure; GitHub describes the lower number as “directionally consistent” with its investigation.
• Monetization. TeamPCP listed the stolen data for sale on a cybercrime forum and used a purportedly associated X/Twitter account (xploitrsturtle2) to publicly taunt GitHub.
• Detection by GitHub. GitHub detected the breach on 19 May, began incident response, and rotated critical secrets the same day. The malicious extension version has been removed; infected endpoints have been isolated.

Key TeamPCP TTPs

TeamPCP's defining characteristic is that they gain access indirectly by backdooring open-source security and development tools that targets already trust and run. The following summarises five prominent TeamPCP techniques, mapped to their associated MITRE ATT&CK technique identifiers.

• Software supply chain compromise (T1195.002). Tampering with trusted tools (e.g., Trivy, Checkmarx, LiteLLM) to distribute malware via legitimate update and package ecosystems
• Credential harvesting at scale (T1555 / T1003). Stealing passwords, API keys, cloud credentials, and CI/CD secrets from infected developer and production environments
• Abuse of valid accounts for lateral access (T1078). Reusing stolen tokens and developer credentials to pivot across repositories, pipelines, and organisations
• CI/CD pipeline and package ecosystem abuse (T1608.004). Poisoning build pipelines and publishing malicious packages to propagate access across downstream users and dependencies
• Automated propagation via worming across software dependencies (T1210 / T1105). Deploying self-propagating malware (e.g., CanisterWorm) to spread through npm and developer workflows at scale

Sophos response

Sophos has actively tracked this incident from first public disclosure. Internally we have done the following:

• Internal estate searched. Network proxy, on-prem firewall, central data events, DNS, ZTNA, and GitHub audit logs have all been swept based on the information provided so far. No evidence of compromise has been found. A small number of hits resolved to unauthenticated external bots probing a /git-service URL path and were ruled out as unrelated.
• GitHub audit log review. Anomalous token, secret, OAuth, webhook, and download actions across the last 30 days were reviewed; all events were consistent with routine activity.
• VS Code extension hunt. A list of VS Code extensions present in the Sophos environment has been collected and is being evaluated against publisher reputation and permission scopes. The hunt is live and ongoing.
• Continued monitoring. Sophos X-Ops continues to monitor this incident.

Recommendations

SophosLabs is monitoring this incident and will investigate detection and mitigation opportunities associated with exploitation activity. Sophos X-Ops recommends the following:

• Audit installed VS Code extensions. Inventory extensions across developer endpoints and VDI images. Flag anything outside an approved set, particularly: new or rare publishers, typosquats, very recent permission expansions, and extensions enabling shell integration or task execution on trusted repositories.
• Hunt for IDE-driven anomalies. On developer endpoints, look for: VS Code child processes spawning Git or credential tooling outside developer working hours; archive download immediately followed by interpreter execution; outbound connections to young or rare domains from developer hosts.
• Tighten developer identity. Enforce short-lived tokens, scoped access, and SSO for source control. Rotate any long-lived developer access tokens that were resident on potentially affected hosts. Review audit logs for mass-clone behaviour or unusual repository read patterns.

Sophos X-Ops recommends the following actions for organisations whose developers may have installed the compromised version of the Nx Console extension:

• Remove the compromised extension. Identify and uninstall affected versions of Nx Console across developer endpoints and VDI images. Refer to the Nx project's advisory for the specific version range.
• Treat developer secrets as exposed. On any host where the compromised extension was installed, assume that resident credentials, tokens, SSH keys, and CI/CD secrets are compromised. Rotate them. Pay particular attention to long-lived GitHub, npm, AWS, and Vault tokens, and to publishing credentials used by build pipelines.
• Hunt for the Python backdoor on macOS. Search for the cat.py artifact at the documented path and for any process making outbound requests to api.github.com/search/commits at consistent hourly intervals from non-developer-tool processes. Hourly GitHub Search API polling from a Python interpreter is a high-confidence indicator.
• Audit recent package publishes. Where developers had publishing rights to internal or public package registries, review the package history for the affected window for any unexpected releases signed with stolen tokens.

Protections

The following protections relate to this campaign:

• JS/Agent-BMBA
• JS/Agent-BMBB
• JS/Steal-EAT
• Troj/PyAgent-CN
• JS/Steal-EBA

IOCs

• main.js (extension payload): b0cefb66b953e5184b6adb3035e9e267335ac5eabfe1848e07834777b9397b74
• index.js (orphan-commit payload): e7347d90653efc565f03733a95e9209d78f9cfa81e31ff2b2dd9d48d75a4b8b1
• cat.py (Python backdoor): fb5c97557230a27460fdab01fafcfabeaa49590bafd5b6ef30501aa9e0a51142