TeamPCP's $50K+ sale of ~4,000 GitHub repos: 'directionally consistent'

TL;DR

---

A file listing posted under TeamPCP’s name claims to contain tar.gz archives with names suggestive of GitHub’s core source code, Copilot-related projects, GitHub Enterprise Server, red-team tooling, and XSS hardening code. The advertised scale is roughly 4,000 repositories at an asking price of $50,000 or more. What’s in the listing is reportedly screenshots of directory and archive names — the actual file contents have not been verified as of 2026-05-20.

TeamPCP’s post states: “This is not ransom. We do not care about extorting GitHub, 1 buyer and we shred the data on our end, it looks like our retirement is soon so if no buyer is found, we leak it for free.” Only days after their second sale advertisement (the Mistral AI one), the scope has jumped from Mistral’s ~450 repositories to GitHub’s ~4,000 repositories. The pricing and the “leak it for free” threat are stacked into a listing that appeared only days after the Mistral incident.

GitHub’s official statement and “directionally consistent”

On 2026-05-20, GitHub publicly disclosed the investigation. The official statement reads:

“We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity.”

In an additional comment reported by The Hacker News, GitHub said: “Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only. The attacker’s current claims of ~3,800 repositories are directionally consistent with our investigation so far.”

“Directionally consistent” doesn’t equal accepting 100% of the count — but it does mean the order of magnitude is something GitHub’s own internal investigation can also explain. The actual contents of the files — the real code, the correspondence between internal naming and implementation — have not been officially verified.

Attack vector: TeamPCP claims a VS Code extension

TeamPCP claims the initial entry point was “a poisoned Microsoft Visual Studio Code extension running on a GitHub employee’s device.” GitHub’s official statement does not disclose anything about the intrusion path, so at this point this is an attacker-side claim with no independent verification. That said, TeamPCP’s recent campaigns do include actual VS Code extension compromises, and the day before GitHub’s statement, a wave targeting Nx-related extensions was observed in the wild.

The @antv VS Code extension wave and how close it sits to this

The day before GitHub’s statement, on 2026-05-19, Wiz Research, Datadog, Aikido, and StepSecurity confirmed that more than 400 npm packages in the @antv namespace, the GitHub Actions actions-cool/issues-helper and actions-cool/maintain-one-comment, and the VS Code extension nrwl.angular-console v18.95.0 had all been compromised at the same time. Wiz attributed the activity to TeamPCP based on infrastructure overlap and matching tradecraft.

nrwl.angular-console is an Nx-related developer-tooling extension used in Angular projects. In Wiz’s observation, persistence used a Python backdoor dropped at ~/.local/share/kitty/cat.py that polls GitHub for signed C2 commands using the identifier firedalazer. Once executed on a developer’s machine, it harvests GitHub tokens, SSH keys, and cloud credentials — the same shape as Shai-Hulud variants.

The day before GitHub’s statement, a wave of VS Code extension compromises was observed; the next day, TeamPCP claimed the GitHub breach came “through a VS Code extension on a GitHub employee’s device.” Whether the two are the same incident isn’t established by timeline alone, but independent observers have now confirmed that TeamPCP does in fact operate the “take a developer’s machine via a VS Code extension” vector.

Positioning vs. Mistral, @antv, and Mini Shai-Hulud

In the lineage of TeamPCP’s sale posts, May 2026 also saw a Mistral AI-related claim: ~450 repositories and ~5 GB of internal code on offer. Per TechRadar, Mistral acknowledged a compromise of its codebase management system and partial SDK package poisoning, while saying its hosted service, management user data, and research/test environments were not breached.

That Mistral case sits on the same line as the Mini Shai-Hulud wave that hit TanStack and Mistral’s npm packages. TeamPCP pulls credentials out of legitimate development and distribution paths, then uses those credentials to move to the next organization or package. The next compromise is driven less by source code itself and more by GitHub tokens, npm tokens, cloud keys, and short-lived CI credentials.

On May 12, TeamPCP also published the Shai-Hulud worm’s source code on GitHub. OX Security reported the code was uploaded through compromised GitHub accounts, and copycats had already started modifying it. SecurityWeek reported that TeamPCP and BreachForums had jointly launched a “supply chain challenge” — a competition for intrusion proof and downstream impact. That thread is covered separately in the Shai-Hulud worm source release article: TeamPCP is doing not just technical compromise but underground promotion and mobilization of imitators at the same time. Microsoft’s durabletask Python client was also pulled into this wave, showing the spread across ecosystems.

Credentials matter more than code names

If actual internal repositories really are in the dataset, the more immediate problem isn’t GitHub’s product code itself — it’s the secrets left inside those repositories. “Secrets” here means API keys, Personal Access Tokens, OAuth client secrets, CI/CD publishing credentials, cloud credentials — anything that grants access to a different system. TeamPCP’s past campaigns (chains of attack activity) have been exactly this: pulling out these secrets and using them to bridge into the next distribution path.

GitHub itself has been strongly aware of the Actions-side attack path. In March 2026, the GitHub Actions security roadmap cited attacks on tj-actions, Nx, trivy-action, and others, and laid out workflow-level dependency locking, policy-driven execution, scoped secrets, Actions Data Stream, and egress firewall as key items. The wide outbound network access of GitHub-hosted runners, plus the chain of CI/CD secret exfiltration leading to unauthorized publishes, is clearly visible on GitHub’s official radar.

On May 5, secret scanning in the GitHub MCP Server went GA. MCP stands for Model Context Protocol, the protocol used to connect AI coding agents and IDEs to external tools. GitHub explains that environments like Copilot CLI and VS Code can now scan for exposed secrets before commits or PRs.

These two aren’t direct responses to the current sale post. But the paths TeamPCP targets (CI/CD secrets, Actions runners, developer devices) and the paths GitHub is hardening overlap heavily. Rather than worrying about the truth of the internal code listing, asking “which workflow can receive which credentials,” “where can a runner reach outbound,” and “is anything sensitive being included in pre-publish changes” is closer to actual breach scenarios.

Scope the response based on real exposure

Organizations that simply use GitHub do not yet need to rotate every PAT and every OAuth credential based purely on this sale post. GitHub limits its assessment to exfiltration of internal repositories, with no reported impact to customer data at this point. A full rotation is expensive and tends to break dependent systems.

What’s worth doing first is checking against TeamPCP’s past TTPs — their tactics, techniques, and procedures. Narrow to machines and CI runners that recently touched poisoned versions related to Mini Shai-Hulud, Shai-Hulud variants, Trivy, LiteLLM, Checkmarx, Mistral SDK, or TanStack. In any environment that matches, treat GitHub tokens, npm tokens, cloud keys, SSH keys, and Kubernetes service account tokens as compromised.

On the GitHub Actions side, inspect pull_request_target, workflow_dispatch, id-token: write, broad contents: write, and caches restored from external PRs. pull_request_target is an event where base-repository permissions come into play in the context of an external PR — historically dangerous, including in Pwn Request-style attacks and the TanStack wave. Even with trusted publishing or OIDC, if attacker code runs on the runner, short-lived tokens get used right there.

On developer devices, look at SessionStart hooks in ~/.claude/settings.json, runOn: "folderOpen" tasks in .vscode/tasks.json, suspicious Python scripts like ~/.local/share/kitty/cat.py, and unfamiliar services or LaunchAgents in the gh-token-monitor family. Persistence observed in the @antv wave used ~/.local/share/kitty/cat.py for C2 polling (firedalazer identifier), and the path that touches Claude Code settings was fully disclosed in the Shai-Hulud source release. Looking only at hardcoded IOCs like filenames and hashes will miss copycat versions. Better to catch them via behavior: “agent startup calls an unknown JS file,” “opening a folder triggers a setup script,” or “an IDE extension starts making outbound requests right after an update.”

A VS Code extension audit is worth doing this cycle, given TeamPCP has explicitly named it as an attack vector. Look at installed extensions’ publisher, last-updated date, auto-update setting, presence of postinstall-equivalent arbitrary script execution, and the range of privileged APIs they access. In particular, if GitHub PATs or cloud credentials sit in plaintext on a developer’s machine, an extension can lift them via local read.

What stays unverified

The alert reportedly includes a LimeWire link, a Tox ID, a Session ID, and the logical names of corporate archive files. These are worth registering in threat intelligence systems for monitoring, but I’m not reproducing the specific IDs here. They’re easy entry points for secondary distribution and contact-based lures.

With GitHub having disclosed an investigation and broadly acknowledged the order-of-magnitude count, the points that remain unverified are: whether files at 4,000-repository scale actually exist, whether the listing genuinely derives from internal naming, whether old archives or dummy names are mixed in, how much substance there is behind sensitive names like Copilot-related or red-team material, whether the attack vector really is a VS Code extension, and when the compromise occurred — none of these have been disclosed officially. Rather than jumping on the “GitHub itself has been breached” headline, the work is to read this as an extension of the credential theft and supply-chain spread TeamPCP has already shown across Mistral, TanStack, @antv, and Shai-Hulud — and to tighten your CI/CD perimeter and developer-device extension inventory.

Related TeamPCP articles

• Mini Shai-Hulud hits TanStack & Mistral npm: CVE-2026-45321 (CVSS 9.6), TeamPCP campaign chain — TanStack/Mistral wave and OIDC abuse
• TeamPCP open-sources Shai-Hulud worm; BreachForums runs paid attack challenge — 2026-05-12 source release and copycat mobilization
• PCPJack credential stealer chains 5 CVEs to worm through Docker, Kubernetes, Redis, and RayML — TeamPCP-lineage cloud-credential-stealing malware
• TeamPCP infected telnyx Python SDK with PyPI and stole API credentials with payload embedded in WAV audio — March’s telnyx PyPI compromise and WAV steganography
• TeamPCP poisoned the LiteLLM PyPI package and embedded malware that steals more than 50 kinds of credentials — March’s LiteLLM PyPI compromise and the Trivy chain