Breaking: GitHub Admits 3,800 Internal Repos Breached
GitHub has confirmed that attackers exfiltrated code from approximately 3,800 of its internal repositories in what is believed to be the company's largest security breach. The intrusion, disclosed on May 19, was triggered by a poisoned Visual Studio Code extension that compromised an employee's device.
The company stated via its X account: “Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately.” GitHub added that the exfiltration was limited to internal repositories only, and that an incident report will follow.
The threat group TeamPCP claimed responsibility, demanding a $50,000 payment for the stolen code and threatening a public leak if no buyer is found. “As always this is not a ransom, we do not care about extorting Github, 1 buyer and we shred the data,” the group posted, backing their claim with a list of breached repositories on LimeWire.
Background
The attack began when a malicious version of an unspecified VS Code extension was installed on a GitHub employee's machine, granting attackers access to internal systems. Security firm Aikido Security linked the incident to a separate May 19 campaign that backdoored the popular Nx Console VS Code extension, version 18.95.0. According to Aikido's Shaun Brown, “The malicious version collected credentials silently from the moment a developer opened any workspace. The community caught it quickly, with the version pulled within 11 minutes.”
Nx Console's maintainers confirmed an 18-minute exposure window and urged developers to update to version 18.100.0. Thousands of developers were exposed, with attackers targeting credential files for Kubernetes, npm, AWS, 1Password, private keys, and GitHub. The same campaign also led to a supply chain compromise of the npm registry, where 637 malicious versions of the AntV data visualization tool were published in 22 minutes, and a previous attack on the TanStack Router package.
What This Means
This breach underscores the growing threat of supply chain attacks through developer tools like VS Code extensions. For GitHub—a platform hosting code for millions of projects—the compromise of internal repos raises concerns about intellectual property theft and potential downstream impacts on customers. Microsoft, which owns GitHub, will face heightened scrutiny over its security practices.
Developers using VS Code are advised to audit installed extensions immediately and apply updates as recommended by maintainers. The incident also highlights the need for stricter vetting of third-party extensions and improved credential hygiene. As GitHub continues its investigation, the security community remains on alert for any leaked data or follow-on attacks.