GitHub’s official account @github posted on X at 7:48 a.m. Beijing time on May 20, confirming that it is investigating an unauthorized access incident involving its internal repositories. Currently, “there is no evidence indicating that customer information outside of GitHub’s internal repositories — including enterprise accounts, organizations, and repositories — has been affected.” GitHub also stated it is continuously monitoring its infrastructure, and any impacts will be communicated to users via existing incident response channels. The immediate trigger for this incident was a post attributed to “TeamPCP” on the cybercrime forum hackrisk.io; the post claimed that TeamPCP had stolen GitHub’s internal source code and organizational data, and roughly 4,000 private repositories were listed for sale at a minimum price of $50,000. The post emphasized that “this is not a ransom demand,” stating that data would be deleted after being sold to a single buyer, and otherwise released publicly for free. GitHub responded to this post about 45 minutes later.
According to The Hacker News, TeamPCP is a well-known threat actor that has repeatedly targeted open-source software supply chains, and it maintains ties to the creators of the Shai-Hulud malware. It should be noted that this incident is entirely separate from the CVE-2026-3854 vulnerability disclosed in March 2026 — an RCE vulnerability identified by Wiz and patched by GitHub prior to any exploitation attempts. CVE-2026-3854 has been verified to have never been exploited in reality, while this unauthorized access to internal repositories is a newly discovered security incident, and the attack vector remains undisclosed. As of press time, the investigation is still ongoing, and neither the exact scope of affected repositories nor the attack path has been revealed.