GitHub confirms hackers stole data from 3,800 internal repositories in a recent breach

GitHub has revealed that attackers accessed data from around 3,800 internal repositories after compromising an employee device. The breach was traced to a poisoned version of the nrwl.angular-console Visual Studio Code extension, which is associated with the Nx Console project. GitHub has said there is no evidence that customer data outside its internal repositories was affected, though the company is still investigating and will notify customers if any impact is confirmed.

The malicious extension was available for only 18 minutes on May 18, 2026, but it was enough to deliver a credential stealer targeting tools including 1Password, Anthropic Claude Code, npm and AWS. The extension behaved like the normal version while silently running a disguised shell command on startup, which downloaded hidden malware from a GitHub repository. GitHub has contained the incident, rotated critical secrets, and continues to monitor for further malicious activity.

TeamPCP has claimed responsibility for the breach and is reportedly selling the stolen data on a cybercrime forum. The group had previously claimed responsibility for a European Commission breach, where more than 90GB of data was reportedly stolen after hackers obtained a cloud key through a separate compromise involving Trivy, a vulnerability scanning tool.