GitHub Hackers Want $50K for Stolen Repos and Crypto Developers Are Now Scrambling

GitHub got hit. A compromised employee computer running a malicious VS Code extension gave attackers a way into the company’s internal repositories, and now a group called TeamPCP is allegedly selling roughly 4,000 of those private repos on a cybercriminal forum. The asking price: at least $50,000. Not a ransom. A flat sale to a single buyer.

GitHub confirmed the breach on its X account. Attackers got in through the tainted extension on one employee’s device. The company pulled the malicious software fast, and said no customer data outside its own internal systems was touched. Credentials are being rotated, with the most sensitive ones going first. GitHub is also combing through logs for any signs of additional activity and said it’ll share more once the investigation wraps up. No timeline on that.

French researcher Sébastien Latombe spotted the forum listing tied to TeamPCP. The repos mentioned include ones connected to GitHub Actions, GitHub Enterprise, and Azure, among others. GitHub and Microsoft haven’t officially confirmed what’s actually in that listing, so some details are still murky.

Crypto Community Responds Fast

Binance co-founder Changpeng Zhao didn’t wait around. He went straight to social media and urged crypto developers to check their API keys — even the ones sitting in private repositories — and rotate them now. It’s pretty much the clearest piece of advice to come out of the whole situation. Private doesn’t mean safe. That’s the lesson.

Aaron Shames, founder of Topaz DEX, went further and basically said storing API keys in any repository at all is the wrong move. Full stop. Digital artist Tuteth_ and security commentator Dhanush Nehru both pushed the same message: tighten up key storage, and pay serious attention to what permissions your VS Code extensions actually have. Most developers probably haven’t thought twice about that. They should.

Nehru’s point about extension permissions is worth sitting with. VS Code extensions are everywhere in developer workflows. They’re convenient, they’re powerful, and apparently they can be weaponized to pull sensitive data off a machine without anyone noticing until it’s too late. The permissions these tools carry aren’t always obvious, and that uncertainty is a real problem.

Coming Right After the Echo Protocol Attack

The timing is rough. The crypto space is still processing the $76.7 million attack on Echo Protocol, and now a breach at one of the most widely used code storage platforms in the world is adding more fuel to a fire that was already burning. Software supply chain security has been a topic in developer circles for a while, but incidents like these push it from background noise to front-page concern.

Related: Bankr Shuts Down All Transactions After Hack Hits 14 User Wallets

Vitalik Buterin has weighed in before on the broader question of software safety, suggesting AI could play a role in improving security through formal verification. That’s probably a longer-term conversation, but it’s not going away.

The challenge for developers right now is more immediate. Updating key storage practices across multiple projects isn’t simple. Teams vary in size, codebases vary in complexity, and not everyone has a dedicated security function watching over things. Smaller teams building on crypto infrastructure are especially exposed — they’re often moving fast and not necessarily thinking about what a compromised extension could do to their stack.

And it’s not just crypto. GitHub serves millions of developers across every industry. But the crypto angle here is sharp because the stakes around key management are so direct. A leaked API key in a fintech or DeFi context can mean lost funds, drained wallets, or compromised smart contracts. The margin for error is basically zero.

What GitHub Is Doing Now

GitHub’s response has been methodical, at least from what’s public. Rotating high-impact credentials first makes sense. The log review is ongoing. The company says findings will come after the investigation closes, which means the broader developer community is in a holding pattern for now.

Related: Echo Protocol Loses $77 Million as Admin Key Breach Hands Hacker Control of eBTC

That waiting period is uncomfortable. Developers who use GitHub for private repositories — and that’s basically everyone — want to know whether their code was anywhere near what got accessed. GitHub’s statement that no external customer data was compromised is reassuring on the surface, but the forum listing and the scale of what TeamPCP is allegedly selling keep the uncertainty alive.

The situation is also a pointed reminder about third-party tooling. VS Code extensions aren’t unique in carrying this kind of risk. Any plugin, add-on, or integration that touches a development environment can become a vector if it’s been tampered with or built maliciously from the start. Vetting that stuff takes time developers often don’t have.

For now, the advice from Zhao, Shames, Nehru, and Tuteth_ is consistent: audit what’s in your repos, rotate keys, and think hard about what you’ve installed in your IDE. TeamPCP is reportedly still looking for that single buyer at $50,000.