GitHub Confirms 3,800 Internal Repos Stolen Through Poisoned VS Code Extension

GitHub confirmed Tuesday that a hacker group stole roughly 3,800 internal code repositories after one of its employees unknowingly installed a malicious Visual Studio Code extension.

VS Code extensions are plugins downloaded through Microsoft’s official marketplace that add features to the code editor. In this case, the extension was designed to exfiltrate data in the background.

“Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension,” the company said in a post on X. “We removed the malicious extension version, isolated the endpoint, and began incident response immediately.”

The Microsoft-owned GitHub is one of the largest software development platforms online, used by more than 180 million developers across over 4 million organizations, including 90% of the Fortune 100.

“Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only,” GithHub wrote. “The attacker’s current claims of ~3,800 repositories are directionally consistent with our investigation so far.”

According to GitHub, the breach affected only internal repositories, and no customer data stored outside those repos was impacted.

“We have no evidence of impact to customer information stored outside of GitHub’s internal repositories, such as our customer’s own enterprises, organizations, and repositories,” a GitHub spokesperson told Decrypt. “Some of GitHub’s internal repositories contain information from customers, for example, excerpts of support interactions. If any impact is discovered, we will notify customers via established incident response and notification channels.”

The company said it rotated critical credentials overnight, prioritizing the highest-risk secrets first, and is continuing to monitor for additional activity.

According to cybersecurity X account Dark Web Informer, TeamPCP claimed responsibility for the breach on Breached, a black-hat cybercrime forum. The group allegedly said it possessed around 4,000 private repositories and was seeking at least $50,000 for the data, with samples available to verified buyers.

“This remains an unverified underground forum claim,” Dark Web Informer wrote. “The actor states this is not a ransom attempt and claims the data may be leaked publicly if no buyer is found.”

TeamPCP has previously been linked to supply chain attacks targeting GitHub, PyPI, NPM, and Docker. Researchers have also connected the group to the ongoing Shai-Hulud malware campaign and a separate operation that reportedly compromised software tied to two OpenAI employees and Mistral AI.