Malicious VS Code Extension Stole ~3,800 GitHub Internal Repos
A malicious Visual Studio Code extension installed on a GitHub employee’s device allowed attackers to exfiltrate about 3,800 internal repositories, GitHub wrote.
GitHub confirmed Tuesday that a malicious Visual Studio Code extension installed on an employee’s device enabled attackers to copy roughly 3,800 internal repositories. The company removed the extension, isolated the affected endpoint and opened an investigation.
The compromise was detected after unusual activity tied to the employee endpoint. GitHub wrote the extension ran in the background to collect and exfiltrate files after installation. Teams rotated high-risk credentials overnight and continued monitoring systems for further activity while investigators work to identify the full scope of the breach.
GitHub’s initial assessment indicates the activity involved only repositories used internally; the company added that the attacker’s claim of about 3,800 repositories is directionally consistent with its findings so far. GitHub reported no evidence that customer data stored outside its internal repositories was accessed.
Some internal repositories contain customer-related material, including excerpts from support interactions. GitHub will notify affected customers through established incident response channels if any customer impact is discovered.
A group calling itself TeamPCP claimed responsibility on an underground forum, posting that it held roughly 4,000 private repositories, offering samples to verified buyers and asking at least $50,000 for the data. The forum post described the request as not a ransom demand and warned the data could be leaked if no buyer is found. GitHub has not confirmed the group’s identity.
Security researchers have previously linked TeamPCP to supply chain attacks that targeted package registries and developer tooling, including incidents involving PyPI, npm and Docker, and to campaigns that affected tools used in AI development. Recent disclosures from multiple technology firms show attackers increasingly target developer tools and open-source packages used to build software and AI models.
GitHub, which serves more than 180 million developers and hosts repositories for over 4 million organizations including about 90% of the Fortune 100, posted on X: “Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately.” Investigation and remediation steps are ongoing and GitHub will provide updates as the inquiry advances.
The material on GNcrypto is intended solely for informational use and must not be regarded as financial advice. We make every effort to keep the content accurate and current, but we cannot warrant its precision, completeness, or reliability. GNcrypto does not take responsibility for any mistakes, omissions, or financial losses resulting from reliance on this information. Any actions you take based on this content are done at your own risk. Always conduct independent research and seek guidance from a qualified specialist. For further details, please review our Terms, Privacy Policy and Disclaimers.
Articles by this author
