Skip to content

GitHub Confirms Breach of 3,800 Internal Repositories via Malicious VSCode Extension

BleepingComputer · Story 2 of 6

GitHub has confirmed a significant security breach in which approximately 3,800 internal repositories were accessed and exfiltrated. The attack vector was a trojanized Visual Studio Code extension installed by an employee on their device, which gave the attackers access to GitHub's internal codebase.

The company detected and contained the compromise, removed the malicious extension from the VS Code Marketplace, and isolated the affected endpoint. 'Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only,' GitHub stated. The company says there is no evidence that customer data stored outside the affected repos was compromised.

The TeamPCP hacking group claimed responsibility, posting on the Breached cybercrime forum that they had access to approximately 4,000 repositories of private code and were seeking at least $50,000 for the stolen data. TeamPCP has previously been linked to supply chain attacks targeting PyPI, NPM, Docker, and GitHub Actions, as well as the 'Mini Shai-Hulud' campaign that also impacted two OpenAI employees.

This incident underscores the growing risk of developer tool supply chain attacks. VS Code extensions have become a persistent attack surface, with multiple incidents in recent years involving extensions with millions of installs being used to steal credentials and sensitive data.

Analysis
Live

Developer tool supply chains are the new perimeter. An entire codebase was compromised not through a zero-day or credential stuffing, but because someone installed a VS Code extension — a vector that Microsoft's marketplace still struggles to police effectively.

Frequently Asked Questions
Was customer data affected in the GitHub breach?

GitHub states the breach was limited to internal repositories only, with no evidence that customer data or user-hosted private repos were accessed.