GitHub said Wednesday it is investigating unauthorized access to thousands of its internal code repositories after a hacking group compromised an employee's device through a poisoned software extension.

It is the latest attack by TeamPCP, a prolific cybercriminal gang that has conducted a cascading series of supply chain attacks since March, often targeting developer tools including TanStack, Trivy and LiteLLM, with downstream victims including the European Commission.

Github, which hosts code for more than 100 million developers worldwide, confirmed the breach on social media after TeamPCP advertised stolen source code on a cybercrime forum.

In a thinly-veiled extortion attempt, the hackers offered to sell the code for $50,000, and threatened to leak it for free if no buyer came forward.

The Microsoft-owned platform said the hack took place after an employee's device was compromised via a malicious VS Code extension. The company said the breach was “detected and contained,” and was limited to internal repositories rather than any customer data.

Critical credentials were rotated the same day the breach was detected, with the most sensitive secrets addressed first, the company said, adding that the attacker's claim of around 3,800 repositories being stolen was “directionally consistent” with its own findings of the extent of the breach.

GitHub said it would publish a fuller report once its investigation is complete.