"We have checked our own environments thoroughly and found no traces of compromise. We suspect this may be part of the broader GitHub infrastructure breach carried out by the TeamPCP hacking group in May 2026: https://techcrunch.com/2026/05/20/github-says-hackers-stole-..."
Greater HN collective, please help me metaphorically double-click on this. I've poked around a bit but didn't find out much more than the given link. What are we concerned about the hack possibly having accomplished?
Because stealing repos is bad enough... but are we saying it's possible that commits can now magically appear in repos from hackers? I don't want to raise any alarms if I'm misreading this or if we're early in the news cycle, but if that's possible, I and a lot of other people reading this need to have some immediate conversations with a lot of people. So... is that what this is saying? Or am I misreading it? I sure hope so.
I was impacted. found weird spam repos that later were deployed on cloudflare redirecting my domains.
meanwhile the gitea running on my metalbox for nearly a decade has seen no compromise and 100% uptime when cloudflare has gone down repeatedly
im rethinking the whole "go where crowd is" , while great from evolutionary point of view, its the complete opposite. Where the crowd gathers online is the most dangerous place.
Linux is absolutely popular for servers. If you put a WordPress installation on the IPv4 address space, or any other kind of PHP you usually find a webshell has appeared after just a few minutes.
* GitHub's backwards priorities end up causing a hack on their systems.
* Hackers use their newly gained powers to compromise other people's repos.
* GitHub dectects compromised repo, and suspends the account of its maintainer, so they cannot warn nor act against it to protect or at least warn their community of users.
"I cause a fire, and later ban you for getting burned."
I had a repo with more than a dozen forks banned on GitHub for some unclear TOS violations. Ticket has been sitting for a week plus now, asking for clarification and guidance.
It's a running a fork (codeberg specific) of a fork of gitea called forgejo (https://codeberg.org/forgejo/forgejo) so it's not surprising. The people behind it were a bit miffed at Gitea doing some questionable commercial endeavors in their view and also not dog-fooding Gitea for Gitea.
Gitlab's UI changes every now and then, for seemingly no reason. The UI is very full of stuff (hard to find your way around), and very slow. Notably in the past months, they've changed the issues/tickets board into a "work items" board which feels infinitely slower to load, has such a vague meaning that nobody can find it (especially when translated), and brings exactly 0 use to anyone i know. They just seem to be doing that with every feature and every part of the interface.
On the server side, gitlab was always very hard to selfhost with many moving parts, many requirements, and using much resources. gitlab-runner is not very explicit about things when you're not in the happy path (why is it not picking up jobs?).
I'm not even a minimalist. I've been running gitea/forgejo for the past 8 years or so and it's been a miracle in comparison: lightweight server, easy setup/upgrades, and super simpler UI/UX that everybody understands on the first try. Forgejo (gitea community fork) learns from everything that Github historically made good (UX) without any enshitiffication in sight (developed by a non-profit). I highly recommend it.
I tried self hosting gitlab. I installed it and got miffed that it wouldn't let me change password complexity requirements for a user, so I left it but left it running for "maybe later".
Two weeks later it had spammed 50GB of logs to the disk and was idling at 11GB RAM. With zero repos and zero active users. I don't want a git interface to be full of bloat.
That's why I don't like it. I'm moving a client from gitlab to forgejo at the moment.
It's 3 days now, and sadly yes, I can confirm the story. My @icflorescu GH account still suspended, total silence from their support, malicious payload still there and no way for me to remove it. Haven't slept since, tried everything, posted everywhere I could think of.
Any help would be highly appreciated.
Looking at the setup.js it seems to be an infostealer which posts the found details to a newly created github repo (on the victims account) or a command and control server. As far as I can tell it looks for github secrets and kubernetes cluster secrets.
She has her own GitHub account. It’s funny weird, but in a good way methinks.
I’m thinking of it this way - if your spouse’s GH account was breached and blocked, would you let them use your account? I would not… This isn’t her account issue, it’s his.
"We have checked our own environments thoroughly and found no traces of compromise. We suspect this may be part of the broader GitHub infrastructure breach carried out by the TeamPCP hacking group in May 2026: https://techcrunch.com/2026/05/20/github-says-hackers-stole-..."
Greater HN collective, please help me metaphorically double-click on this. I've poked around a bit but didn't find out much more than the given link. What are we concerned about the hack possibly having accomplished?
Because stealing repos is bad enough... but are we saying it's possible that commits can now magically appear in repos from hackers? I don't want to raise any alarms if I'm misreading this or if we're early in the news cycle, but if that's possible, I and a lot of other people reading this need to have some immediate conversations with a lot of people. So... is that what this is saying? Or am I misreading it? I sure hope so.
I was impacted. found weird spam repos that later were deployed on cloudflare redirecting my domains.
meanwhile the gitea running on my metalbox for nearly a decade has seen no compromise and 100% uptime when cloudflare has gone down repeatedly
im rethinking the whole "go where crowd is" , while great from evolutionary point of view, its the complete opposite. Where the crowd gathers online is the most dangerous place.
it's the same with linux viruses. they were always a possibility, but because linux is not popular, they were never an issue.
Linux is absolutely popular for servers. If you put a WordPress installation on the IPv4 address space, or any other kind of PHP you usually find a webshell has appeared after just a few minutes.
true, i get these attempts on my server daily. but here too you got less popular alternatives, so the same principle applies.
This totally isn't true. Sure, if you load it with vulnerable plugins, but otherwise this type of FUD helps nobody.
Don't use github actions. Don't use toolchains that auto execute stuff.
Simple as that, because that's the attack surface.
https://cookie.engineer/weblog/articles/malware-insights-git...
I wrote that article December 2024. Still ongoing, Microsoft. Best enterprise security practices, I suppose shrugs ...
So in summary:
* GitHub's backwards priorities end up causing a hack on their systems.
* Hackers use their newly gained powers to compromise other people's repos.
* GitHub dectects compromised repo, and suspends the account of its maintainer, so they cannot warn nor act against it to protect or at least warn their community of users.
"I cause a fire, and later ban you for getting burned."
No wonder people are leaving.
Where are they going? If its not self hosted I don't see it not ending up like github.
codeberg
I had a repo with more than a dozen forks banned on GitHub for some unclear TOS violations. Ticket has been sitting for a week plus now, asking for clarification and guidance.
So, it lives in codeberg now. https://codeberg.org/nelsonjchen/op-replay-clipper
this just looks like a reskinned gitea
It's a running a fork (codeberg specific) of a fork of gitea called forgejo (https://codeberg.org/forgejo/forgejo) so it's not surprising. The people behind it were a bit miffed at Gitea doing some questionable commercial endeavors in their view and also not dog-fooding Gitea for Gitea.
huh i did not know that . thanks for forgejo guess im moving
it's the "main" instance of forgejo, a gitea fork
https://codeberg.org/forgejo/forgejo
There exist competent operations people and competent developers.
Why do people not like gitlab? I’ve always found it a better experience than github
same. so much more intuitive
Gitlab's UI changes every now and then, for seemingly no reason. The UI is very full of stuff (hard to find your way around), and very slow. Notably in the past months, they've changed the issues/tickets board into a "work items" board which feels infinitely slower to load, has such a vague meaning that nobody can find it (especially when translated), and brings exactly 0 use to anyone i know. They just seem to be doing that with every feature and every part of the interface.
On the server side, gitlab was always very hard to selfhost with many moving parts, many requirements, and using much resources. gitlab-runner is not very explicit about things when you're not in the happy path (why is it not picking up jobs?).
I'm not even a minimalist. I've been running gitea/forgejo for the past 8 years or so and it's been a miracle in comparison: lightweight server, easy setup/upgrades, and super simpler UI/UX that everybody understands on the first try. Forgejo (gitea community fork) learns from everything that Github historically made good (UX) without any enshitiffication in sight (developed by a non-profit). I highly recommend it.
If you're leaving based on security failures, Gitlab is not the place to go.
Personally, they're going wayyy too hard on the AI stuff. I just want an interface to git and maybe an issue tracker.
I tried self hosting gitlab. I installed it and got miffed that it wouldn't let me change password complexity requirements for a user, so I left it but left it running for "maybe later".
Two weeks later it had spammed 50GB of logs to the disk and was idling at 11GB RAM. With zero repos and zero active users. I don't want a git interface to be full of bloat.
That's why I don't like it. I'm moving a client from gitlab to forgejo at the moment.
>20hrs no action by MS to fix this heavy security problem? It's embarassing
It's 3 days now, and sadly yes, I can confirm the story. My @icflorescu GH account still suspended, total silence from their support, malicious payload still there and no way for me to remove it. Haven't slept since, tried everything, posted everywhere I could think of. Any help would be highly appreciated.
Seems like it's similar to the attack reported in this other HN post: https://news.ycombinator.com/item?id=48409869
We're working on an antiworm. One of our customers got affected.
Our tool already discovers infected repositories and mitigates/removes the implants from the filesystem.
Please revoke/rotate all your tokens and passwords that were used in the infected repositories, the worm is pretty sophisticated.
https://github.com/Team-Rockstars-Security/antimiasma
Looking at the setup.js it seems to be an infostealer which posts the found details to a newly created github repo (on the victims account) or a command and control server. As far as I can tell it looks for github secrets and kubernetes cluster secrets.
Its funnyweird that the post is from his wife rather than from him using his wife's account.
She has her own GitHub account. It’s funny weird, but in a good way methinks.
I’m thinking of it this way - if your spouse’s GH account was breached and blocked, would you let them use your account? I would not… This isn’t her account issue, it’s his.
Well, it's probably better to avoid the risk of her account being banned for 'ban evasion'.