Danny Weber
GitHub confirms a security breach after attackers used a malicious VS Code extension to access internal repositories. About 3,800 private repos compromised. No evidence of user data exposure.
GitHub has officially confirmed a security incident in which attackers gained access to some of the company's internal repositories. The breach was caused by a malicious Visual Studio Code extension installed on an employee's device.
The incident was promptly detected: the infected extension was removed from the extension marketplace, the affected infrastructure was isolated, an internal investigation was launched, and critical access credentials were rotated.
Earlier, the hacker group TeamPCP claimed on specialized forums that it had accessed approximately 3,800 private repositories and allegedly stolen internal source code and official materials. According to the attackers, the data was planned to be sold for at least $50,000, rather than used for direct extortion.
GitHub noted that its preliminary assessment does indicate a compromise of internal repositories, but so far the company has found no evidence of mass access to user data, public projects, or customers' private repositories on the platform.
Such internal repositories may contain not only code but also deployment tools, infrastructure scripts, internal APIs, automation systems, and experimental features that have not yet been released to users.
Experts also point out that the incident once again highlights the growing risks of software supply chain attacks. Modern development increasingly depends on third-party components—extensions, libraries, containers, and AI tools—and compromising even a single such element can open the way to much larger systems.
GitHub continues to analyze event logs and track potential subsequent activity, while reassuring that no signs of large-scale impact on client infrastructure have been detected so far.
© RusPhotoBank