Cyber Alert: GitHub Security Incident

FINRA firms should be aware of a security incident that poses potential risks to organizations using GitHub cloud repository products. FINRA recommends sharing this Cyber Alert with appropriate information technology and information security personnel—as well as any third-party vendors that may use GitHub—to identify whether your firm is impacted and take immediate steps to protect your environments.

Background

On May 20, 2026, cloud-based development platform GitHub confirmed a breach affecting approximately 3,800 internal repositories after threat actors socially engineered an employee into installing a fraudulent VS Code extension.¹ The TeamPCP threat group claimed responsibility.² GitHub repositories may contain sensitive information such as source code, system configurations, security credentials, and technical details that threat actors could exploit in future attacks.³ GitHub stated the following regarding the incident:

• There is no evidence that customer repositories were affected.
• GitHub is monitoring its infrastructure for additional malicious activity.
• Affected customers will be notified if any evidence of impact is discovered.

Recommended Actions

Member firms using GitHub are strongly encouraged to take the following steps:

• Consider increased monitoring of your firm’s GitHub account activity.
• Consider implementing compensating controls and defense-in-depth strategies to mitigate potential risks.
• Monitor GitHub's official communications for updates.
• Report suspicious activity to your internal security team immediately.

This incident demonstrates how social engineering attacks can compromise trusted platforms, including supply chains. Firms should review their security configurations, verification protocols, and employee security training to address both technical and human vulnerabilities.

Firms should also review their vendor risk management programs to ensure they have processes in place to respond to third-party security incidents, including policies, procedures, and controls related to cloud platform configuration and third-party service management. Related effective practices can be found in the Third-Party Risk Landscape section of the 2026 FINRA Annual Regulatory Oversight Report.

Reporting

FINRA encourages member firms that identify data breaches or attempted data breaches to contact your Risk Monitoring Analyst and report them to:

• FINRA using the Regulatory Tip Form found on FINRA.org;
• the SEC using the Tips, Complaints, and Referrals form or by calling (202) 551-4790; and
• the FBI using its Internet Crime Complaint Center or by calling 1-800-CALLFBI (1-800-225-5324). 

Additionally, both the FBI and the Cybersecurity & Infrastructure Security Agency (CISA) urge organizations to promptly report cyber incidents to a local FBI Field Office or the FBI Internet Crime Complaint Center (IC3) at IC3.gov, and to CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870). 

Questions related to this Alert or other cybersecurity-related topics can be emailed to the FINRA Cyber and Analytics Unit (CAU).

Note: This Alert does not create new legal or regulatory requirements or new interpretations of existing requirements, nor does it relieve firms of any existing obligations under federal securities laws, regulations, and FINRA rules. Member firms may consider the information in this Alert in developing new, or modifying existing, policies and procedures that are reasonably designed to achieve compliance with relevant regulatory obligations based on the member firm’s size and business model. Moreover, some information may not be relevant due to certain firms’ business models, sizes, or practices.