Full Report
GitHub on Tuesday said it's investigating unauthorized access to its internal repositories after the notorious threat actor known as TeamPCP listed the platform's source code and internal organizations for sale on a cybercrime forum. "While we currently have no evidence of impact to customer information stored outside of GitHub's internal repositories (such as our customers' enterprises,
Analysis Summary
# Incident Report: Unauthorized Access to GitHub Internal Repositories
## Executive Summary
GitHub is investigating a significant unauthorized access event involving approximately 4,000 internal source code repositories. The incident was brought to light after the threat actor "TeamPCP" listed the stolen data for sale for $50,000 on a cybercrime forum. Initial findings suggest the breach is part of a larger supply chain attack leveraging the "Mini Shai-Hulud" worm to harvest credentials and GitHub secrets.
## Incident Details
- **Discovery Date:** May 19, 2026 (Publicly acknowledged)
- **Incident Date:** May 2026
- **Affected Organization:** GitHub (Microsoft subsidiary)
- **Sector:** Information Technology / Software Development
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Early May 2026
- **Vector:** Credential Theft / Account Takeover
- **Details:** TeamPCP compromised a GitHub account via a previous supply chain attack. The threat actor then dumped GitHub secrets from repositories the compromised user had permission to access.
### Lateral Movement
- The attackers used a self-propagating worm ("Mini Shai-Hulud"). On Linux systems, it uses AWS Systems Manager (SSM) and `kubectl exec` to move laterally across EC2 instances and Kubernetes clusters.
### Data Exfiltration/Impact
- Approximately 4,000 internal GitHub repositories and associated source code were exfiltrated.
- PyPI tokens were stolen, leading to the compromise of the `durabletask` package.
- Secrets, SSH keys, Docker credentials, and password vaults (1Password/Bitwarden) were harvested from infected developer environments.
### Detection & Response
- **Discovery:** Monitoring of cybercrime forums identified TeamPCP listing "GitHub Source Code" for sale.
- **Response:** GitHub initiated an internal investigation and infrastructure monitoring; malicious PyPI packages were identified by security firms (Wiz, SafeDep).
## Attack Methodology
- **Initial Access:** Account takeover via previous supply chain compromise.
- **Persistence:** Implementation of a persistent Linux-based infostealer.
- **Privilege Escalation:** Dumping GitHub secrets and cloud-provider credentials.
- **Defense Evasion:** Use of "FIRESCALE" mechanism (searching public commits for C2 instructions) to bypass static C2 blocking.
- **Credential Access:** Scraping HashiCorp Vault, 1Password, Bitwarden, and shell history.
- **Discovery:** Automated enumeration of AWS and Kubernetes environments.
- **Lateral Movement:** "Mini Shai-Hulud" worm using AWS SSM and `kubectl`.
- **Collection:** Automated lifting of source code and environment secrets.
- **Exfiltration:** Data sent to attacker-controlled C2 infrastructure.
- **Impact:** Theft of proprietary source code and potential destructive actions (1-in-6 chance of `rm -rf` on specific regional systems).
## Impact Assessment
- **Financial:** Asking price for data is $50,000; high potential costs for remediation and audit.
- **Data Breach:** ~4,000 internal repositories; GitHub secrets and PyPI tokens.
- **Operational:** Disruption to internal development workflows; necessity for widespread secret rotation.
- **Reputational:** High; marks a significant breach for the world's largest code hosting platform.
## Indicators of Compromise
- **Network indicators:**
- check.git-service[.]com (Primary C2)
- t.m-kosche[.]com (Secondary C2)
- **File indicators:**
- rope.pyz (Second-stage payload)
- durabletask versions 1.4.1, 1.4.2, 1.4.3
- **Behavioral indicators:**
- Public GitHub commits containing the string "FIRESCALE ."
- Unexpected AWS-RunShellScript executions via SSM.
## Response Actions
- **Containment:** Ongoing identification and removal of malicious PyPI packages.
- **Eradication:** Monitoring infrastructure for "follow-on" activity and rotating compromised secrets.
- **Recovery:** Customer notification via established IR channels.
## Lessons Learned
- **Key Takeaway:** Compromising a single developer account can lead to a massive "blast radius" if secrets are stored in repositories.
- **Worm Proliferation:** Modern supply chain attacks now utilize automated lateral movement (worms) that move faster than human response times.
## Recommendations
- **Enforce MFA:** Mandatory hardware-based MFA for all internal accounts.
- **Secret Management:** Implement strictly scoped, short-lived tokens and prevent plain-text secrets in repositories.
- **SSM/K8s Hardening:** Restrict AWS SSM `SendCommand` permissions and harden Kubernetes pod security policies to prevent unauthorized `exec` capabilities.