The Infrastructure Is Fine: How TeamPCP Breached GitHub and Grafana
A poisoned VS Code extension on a single developer device gave TeamPCP access to 3,800 of GitHub's internal repositories. Grafana fell the same week via a different vector in the same campaign.
On May 20, GitHub confirmed that threat group TeamPCP had exfiltrated approximately 3,800 of its internal repositories. The entry point was not a zero-day in GitHub's infrastructure. It was a poisoned VS Code extension installed on one employee's device.
The extension was Nx Console, a developer tool with over 2.2 million installs. A malicious build — version 18.95.0 — was published to the Visual Studio Marketplace on May 18 and remained available for 18 minutes before being pulled. In that window, at least one GitHub employee installed it. The payload harvested credentials from any workspace the developer opened and staged them for exfiltration. GitHub CISO Alexis Wales publicly identified the extension the following day.
GitHub detected the device compromise on May 19, isolated the endpoint, removed the malicious extension version, and began rotating internal credentials — prioritizing highest-impact secrets first. Its public statement on May 20 acknowledged that the breach was confined to GitHub's own corporate estate: internal repositories only, with no confirmed impact on customer organizations, enterprise accounts, or user-hosted repositories. TeamPCP's own claim of roughly 4,000 repositories is directionally consistent with GitHub's internal assessment of approximately 3,800.
TeamPCP listed the stolen material on BreachForums, asking for offers above $50,000. In the same post, they stated they had no interest in extorting GitHub and would release the data for free if no buyer came forward. LAPSUS$ subsequently joined the listing, offering both datasets together for $95,000.
The breach has been assigned CVE-2026-48027.
Grafana: Same Actor, Earlier Intrusion
Grafana Labs confirmed a separate but related incident the same week. On May 16 — four days before the GitHub disclosure — the company announced that attackers had accessed its GitHub environment and exfiltrated its private codebase. Grafana traced the root cause to the TanStack npm supply chain compromise, an earlier TeamPCP operation that infected open-source frontend packages and harvested CI/CD secrets from any pipeline that ran them.
Grafana's investigation found that it had rotated GitHub workflow tokens after the TanStack incident was disclosed, but missed one. That token was used to access its repositories. The failure mode is worth noting: Grafana's initial token rotation was manual, not exhaustive. A single missed credential — from a workflow originally assessed as unaffected — was enough to extend the attacker's access after the primary remediation was complete. An extortion demand followed. Grafana refused to pay, notified federal law enforcement, and published a disclosure under the name of its CISO, Joe McManus. The stolen data included business contact information; Grafana stated that production systems and the Grafana Cloud platform were not affected.
The Broader Campaign
GitHub and Grafana are two incidents in a campaign that TeamPCP has been running since at least March 2026. The earliest confirmed intrusion was a compromise of Aqua Security's Trivy vulnerability scanner via a GitHub Actions workflow referencing mutable dependency tags. From there, the group moved through a chain of package ecosystems — npm, PyPI, and the VS Code Marketplace — injecting credential-stealing payloads tracked by Google Mandiant as SANDCLOCK.
The same campaign hit OpenAI (two employee devices compromised via the TanStack attack), Mistral AI (one device, $25,000 extortion demand for alleged 5 GB of source code), and hundreds of other organizations through compromised npm packages across the TanStack, UiPath, OpenSearch, and SAP CAP ecosystems.
No CVEs were assigned across the majority of the campaign. Traditional scanners had no signatures for any of it.
What This Demonstrates
The attack surface here is the developer toolchain, not the application perimeter. A VS Code extension is executable code running with the full permissions of the developer's session. The Marketplace does not enforce code signing or reproducible builds. Any extension can be updated silently to any of its 2.2 million installs without a prompt.
TeamPCP has demonstrated repeatedly that this trust surface is accessible, scalable, and largely unmonitored. The GitHub breach is the highest-profile result of that approach so far — but it is not structurally different from every other incident in the same campaign. The entry point was the same. The credential-harvesting payload was the same. The exfiltration channel was the same.
The only thing that changed was the target.