GitHub Breach: 3,800 Internal Repos Stolen via VS Code Extension
Key Takeaways
- Attackers compromised a GitHub employee's device using a malicious VS Code extension
- Data from approximately 3,800 internal repositories was stolen
- TeamPCP claims responsibility and is selling the data on a cybercrime forum
GitHub confirmed on Tuesday that hackers breached its systems and stole data from approximately 3,800 internal code repositories. The attack vector: a poisoned Visual Studio Code extension that compromised an employee's device.
The Microsoft-owned developer platform disclosed the incident through a series of posts on X, stating it has "no evidence of impact to customer information stored outside of GitHub's internal repositories." The investigation remains ongoing.
The Attack Method
GitHub said it "detected and contained a compromise of an employee device involving a poisoned VS Code extension." Visual Studio Code is one of the most popular code editors among developers, and its extension marketplace has become a growing target for attackers.
The company has not named the compromised extension. This matters because thousands of developers might still have it installed.
Malicious code extensions represent a rising threat in software supply chains. By compromising a popular open-source tool or extension, attackers gain access to vast numbers of developer machines in a single operation. The downstream effects can be severe: stolen credentials, compromised code signing keys, and backdoors inserted into production software.
Who's Behind It
A hacking group called TeamPCP has claimed credit for the breach, according to reports from The Record and Bleeping Computer. The group is reportedly selling the stolen data on a cybercrime forum.
GitHub has not responded to questions about whether it received any communication from the hackers, including ransom demands.
TeamPCP has a track record. The group previously claimed responsibility for a data breach at the European Commission that resulted in the theft of more than 90 gigabytes of data. In that attack, hackers stole cloud keys during an earlier breach at Trivy, a vulnerability scanning tool, by pushing info-stealing malware to Trivy's downstream users.
A Pattern of Supply Chain Attacks
The GitHub breach fits a troubling pattern. OpenAI was targeted recently in a similar attack that compromised Tanstack, a platform used by web developers. Hackers pushed malicious updates through Tanstack that stole passwords and authentication tokens from users.
These attacks share a common logic: instead of attacking thousands of targets individually, compromise a trusted tool that all of them use. Developer tools are particularly valuable targets because they often run with elevated privileges and have access to source code, deployment keys, and cloud credentials.
Another recent security incident requiring urgent attention
What GitHub Says Is Safe
GitHub emphasized that customer data stored outside its internal repositories appears unaffected. This distinction matters: GitHub hosts code for millions of organizations, and a breach of customer repositories would be catastrophic.
Internal repositories typically contain GitHub's own tooling, infrastructure code, and proprietary systems. While this data has value to attackers, particularly for finding additional vulnerabilities, it's different from exposing customer source code directly.
That said, "investigation ongoing" means the full scope isn't known yet. Companies often discover broader impact as forensic analysis continues.
What Teams Should Do Now
- Audit VS Code extensions across your organization. Remove any that aren't actively needed.
- Review extension permissions. Some extensions request far more access than their function requires.
- Enable extension signing verification where available.
- Check for unusual activity in your GitHub organization's audit logs.
- Rotate credentials if your team used any recently flagged extensions.
Logicity's Take
Frequently Asked Questions
Was customer source code exposed in the GitHub breach?
GitHub says there's no evidence of impact to customer information stored outside internal repositories. Only GitHub's own internal code appears affected, though the investigation continues.
Which VS Code extension was compromised?
GitHub has not disclosed the name of the malicious extension. This information would help developers check their own systems.
Who is TeamPCP?
TeamPCP is a hacking group that previously claimed credit for breaching the European Commission. They reportedly stole over 90GB of data in that incident using similar supply chain attack methods.
Should I change my GitHub credentials?
GitHub hasn't indicated that user credentials were compromised. However, if you use VS Code extensions and haven't audited them recently, reviewing your installed extensions is prudent.
Need Help Implementing This?
Source: TechCrunch / Zack Whittaker
Manaal Khan
Tech & Innovation Writer
Related Articles
Browse all
Robotaxi Companies Are Hiding How Often Humans Take the Wheel
Autonomous vehicle firms like Waymo and Tesla are under scrutiny for refusing to disclose how often remote operators step in to control their self-driving cars. A Senate investigation reveals major gaps in transparency, raising safety and accountability concerns.
Wisconsin Governor Throws a Wrench in Age Verification Plans
Wisconsin Governor Tony Evers has vetoed a bill that would have required residents to verify their age before accessing adult content online, citing concerns over privacy and data security. This move comes as several other states have already implemented similar age check requirements. The veto has significant implications for the future of online age verification.
Apple's App Store Empire Under Siege: The Battle for the Future of Tech
The long-running feud between Apple and Epic Games has reached a boiling point, with Apple preparing to take its case to the Supreme Court. The tech giant is fighting to maintain control over its App Store, while Epic Games is pushing for more freedom for developers. The outcome could have far-reaching implications for the entire tech industry.
Tesla's Remote Parking Feature: The Investigation That Didn't Quite Park Itself
The US auto safety regulators have closed their investigation into Tesla's remote parking feature, but what does this mean for the future of autonomous driving? We dive into the details of the investigation and what it reveals about the technology. The National Highway Traffic Safety Administration found that crashes were rare and minor, but the investigation's closure doesn't necessarily mean the feature is completely safe.
Also Read
Samsung Faces Largest Strike in History: 48,000 Workers Walk Out
Samsung's Device Solutions unit is bracing for an 18-day strike by 48,000 employees demanding higher bonuses. The dispute centers on bonus caps and pay disparity with rival SK Hynix, whose workers earned three times more last year.
Google AI Mode Hits 1 Billion Users as Search Gets Remade
Google's AI Mode search feature now has over 1 billion monthly users, with usage doubling every quarter. At I/O 2026, the company announced deeper integration between AI Mode and traditional search, signaling that the 10 blue links era is ending.
Samsung Avoids 18-Day Chip Strike With Last-Minute Wage Deal
Samsung Electronics and its 48,000-member labor union reached a tentative wage agreement Wednesday, just hours before a planned 18-day strike at its South Korean chip operations. The deal, centered on performance bonuses, now goes to a worker vote. Approval would end months of escalating labor tensions at the world's largest memory chip maker.