GitHub confirms 3,800 internal repos breached via malicious VS Code extension

GitHub has confirmed that approximately 3,800 internal repositories were compromised following the installation of a malicious Visual Studio Code extension by an employee. The company removed the trojanised extension from the marketplace, isolated the affected device, and initiated incident response procedures immediately after detection.

In a statement regarding the incident, GitHub clarified that its current assessment indicates the activity involved the exfiltration of GitHub-internal repositories only. The company noted that the attacker’s claim of approximately 3,800 repositories is directionally consistent with their investigation, though they have not yet officially attributed the breach to a specific actor.

The hacker group TeamPCP claimed responsibility for the intrusion on the Breached cybercrime forum, asserting access to GitHub source code and approximately 4,000 private repositories. The group demanded a minimum of $50,000 for the stolen data, stating they would shred the information if a buyer was not found, or leak it for free if no buyer emerged.

GitHub stated there is no evidence that customer data stored outside the affected internal repositories has been impacted. The platform, which serves over 4 million organisations including 90% of the Fortune 100 and more than 180 million developers, continues to monitor the situation as part of its standard security protocols.

TeamPCP has previously been linked to supply chain attacks targeting major developer platforms such as PyPI, NPM, and Docker. The group was also recently associated with the "Mini Shai-Hulud" campaign, which impacted employees at OpenAI. This incident highlights the ongoing risks associated with third-party code editor extensions, which have been used in previous campaigns to steal credentials and exfiltrate data.