GitHub Confirms 3,800 Internal Repos Breached via VS Code Extension
Key Takeaways
- TeamPCP hackers accessed 3,800 GitHub internal repositories via a malicious VS Code extension installed by an employee
- The group is attempting to sell stolen source code for $50,000, threatening to leak it publicly if no buyer emerges
- GitHub has contained the incident, removed the malicious extension, and rotated critical credentials
GitHub confirmed today that hackers breached thousands of its internal repositories after an employee installed a malicious Visual Studio Code extension. The company disclosed the incident via X, stating it detected and contained the breach yesterday.
The attack came from TeamPCP, a hacker group that posted claims on the Breached cybercrime forum earlier this week. The group says it accessed nearly 4,000 private GitHub repositories and exfiltrated internal source code. They're now seeking $50,000 from potential buyers.
"This is not a ransom," TeamPCP wrote in its forum post. The group made clear it intends to sell the data rather than extort GitHub directly. If no buyer steps forward, they've threatened to leak the repositories publicly.
How the Breach Happened
The attack vector was a poisoned VS Code extension. An employee installed the malicious plugin, which gave attackers a foothold on the device. From there, the hackers gained access to internal repositories and engineering systems.
VS Code extensions are executable plugins embedded inside a developer's working environment. They often have access to local files, terminals, authentication tokens, and cloud tooling. Developers routinely install third-party extensions for debugging, automation, AI coding assistance, and workflow integrations.
This makes the extension ecosystem an attractive target. Attackers can disguise malware as legitimate development tools, knowing that developers trust and regularly install new extensions.
GitHub's Response
GitHub says it took several immediate steps after detecting the breach. The company removed the poisoned extension from the VS Code Marketplace, isolated the affected endpoint, and launched an internal incident response investigation.
The company has already rotated critical secrets and credentials as part of containment. It continues to analyze logs and monitor for follow-on activity.
GitHub's current assessment indicates the breach involved only internal repositories. This does not necessarily mean the attackers gained unrestricted access to GitHub's broader platform or customer repositories. However, internal repos can still contain valuable operational data: deployment tooling, infrastructure scripts, and security configurations.
TeamPCP's Track Record
TeamPCP has been linked to several high-profile campaigns targeting developer platforms. The group has previously hit PyPI, npm, and Docker. This pattern suggests they specifically target software supply chain infrastructure.
Malicious VS Code extensions have surfaced repeatedly in recent years as an effective attack vector. The extensions run with significant privileges inside a developer's environment, making them ideal for credential theft and lateral movement.
What This Means for Developer Security
This breach highlights a persistent weakness in software development workflows. Developers install extensions to boost productivity, but each extension represents potential attack surface. Microsoft and extension publishers implement security measures, but the sheer volume of extensions makes comprehensive vetting difficult.
- Review installed VS Code extensions and remove any you don't actively use
- Check extension publishers before installing, favoring verified sources
- Use separate environments or containers for sensitive development work
- Monitor for unusual repository access patterns in your organization
Logicity's Take
Frequently Asked Questions
Were GitHub customer repositories affected in this breach?
GitHub's current assessment indicates only internal repositories were accessed. The company has not confirmed any impact to customer repositories or the broader platform.
How much are hackers asking for the stolen GitHub data?
TeamPCP is seeking at least $50,000 from potential buyers for the exfiltrated source code and internal data.
How can I check if a VS Code extension is safe?
Check the publisher's verification status, review download counts and user ratings, examine the extension's requested permissions, and research the publisher's reputation before installing.
Has the malicious VS Code extension been removed?
Yes. GitHub stated that the poisoned extension version has been removed from the VS Code Marketplace.
Need Help Implementing This?
Source: Latest from Tom's Hardware
Manaal Khan
Tech & Innovation Writer
Related Articles
Browse all
GitHub Copilot CLI: What Business Leaders Need to Know
GitHub's AI-powered command line interface is changing how developers work, with early adopters reporting significant productivity gains. Here's what decision-makers should understand about this tool's business impact and whether it's worth the investment for your engineering team.
URGENCY: IT-Tools Revolutionizes Development with Unified Platform - The New Stack
IT-Tools is changing the game for developers by bringing numerous useful tools into one convenient location. According to The New Stack, this platform is a must-have for any development team. We dive into the details of what makes IT-Tools so special and how it can benefit your workflow.
5 Reasons Why Craftsmanship Matters in Software Development
As we navigate the complex world of software development, it's easy to get caught up in the latest tools and trends. But at the heart of it all is craftsmanship, the human touch that sets great software apart from good. According to McKinsey, investing in craftsmanship can lead to significant improvements in productivity and quality
SURPRISING TAKE: You Have Been Using Claude Wrong - Here Is What Actually Works
We are at a crossroads with Claude and AI tools. According to Gartner, many companies are scrambling to automate. We will explore the reasons behind this trend and what it means for businesses
Also Read
Spotify Claude vs ChatGPT: Which AI Makes Better Playlists?
Spotify's new Claude integration competes directly with its existing ChatGPT feature for AI-powered playlist creation. A hands-on test with identical prompts reveals a clear winner for music discovery and personalization.
7 Creative Project Management Tools for Agencies in 2026
Creative agencies face unique project management challenges: deliverables stuck in feedback loops, projects quietly over budget, and teams waiting on indecisive clients. Zapier's latest roundup tests the best software options for managing this controlled chaos.
Android Gets iPhone-Style Handoff With 'Continue On' in Android 17
Google announced Continue On at I/O, a platform-level feature that lets Android users start tasks on their phone and pick them up on a tablet. The feature works like Apple's Handoff and arrives with Android 17, though it's limited to phone-to-tablet transfers at launch.