GitHub Confirms Massive Code Heist: 3,800 Internal Repositories Compromised via Poisoned Extension
Breaking: GitHub Admits 3,800 Internal Repos Breached
GitHub has confirmed that attackers exfiltrated code from approximately 3,800 of its internal repositories in what is believed to be the company's largest security breach. The intrusion, disclosed on May 19, was triggered by a poisoned Visual Studio Code extension that compromised an employee's device.
The company stated via its X account: “Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately.” GitHub added that the exfiltration was limited to internal repositories only, and that an incident report will follow.
The threat group TeamPCP claimed responsibility, demanding a $50,000 payment for the stolen code and threatening a public leak if no buyer is found. “As always this is not a ransom, we do not care about extorting Github, 1 buyer and we shred the data,” the group posted, backing their claim with a list of breached repositories on LimeWire.
Background
The attack began when a malicious version of an unspecified VS Code extension was installed on a GitHub employee's machine, granting attackers access to internal systems. Security firm Aikido Security linked the incident to a separate May 19 campaign that backdoored the popular Nx Console VS Code extension, version 18.95.0. According to Aikido's Shaun Brown, “The malicious version collected credentials silently from the moment a developer opened any workspace. The community caught it quickly, with the version pulled within 11 minutes.”
Nx Console's maintainers confirmed an 18-minute exposure window and urged developers to update to version 18.100.0. Thousands of developers were exposed, with attackers targeting credential files for Kubernetes, npm, AWS, 1Password, private keys, and GitHub. The same campaign also led to a supply chain compromise of the npm registry, where 637 malicious versions of the AntV data visualization tool were published in 22 minutes, and a previous attack on the TanStack Router package.
What This Means
This breach underscores the growing threat of supply chain attacks through developer tools like VS Code extensions. For GitHub—a platform hosting code for millions of projects—the compromise of internal repos raises concerns about intellectual property theft and potential downstream impacts on customers. Microsoft, which owns GitHub, will face heightened scrutiny over its security practices.
Developers using VS Code are advised to audit installed extensions immediately and apply updates as recommended by maintainers. The incident also highlights the need for stricter vetting of third-party extensions and improved credential hygiene. As GitHub continues its investigation, the security community remains on alert for any leaked data or follow-on attacks.
Related Articles
- The Resurgence of MSHTA: A Legacy Tool Powering Modern Stealth Malware
- Compromised GitHub Actions Tag: A New Vector for CI/CD Credential Theft
- Fortinet Stock Deep Dive: Key Questions and Answers for Investors
- Cyberattack on Canvas Platform Disrupts Final Exams Across US Schools
- How Scattered Spider Executed a Multi-Million Dollar Crypto Heist: A Step-by-Step Breakdown
- Trusted IT Tools Exposed as Primary Attack Vector in New Cybersecurity Analysis
- Cybersecurity Week 20: Dark Web Takedowns and AI-Powered Zero-Day Threats
- Pwn2Own Berlin 2026: $385,750 Awarded for 15 Zero-Day Exploits on Day Two