GitHub confirms breach of 3,800 repos via malicious VSCode extension

Source: Bleeping Computer

Incident Overview

GitHub confirmed that roughly 3,800 internal repositories were breached after an employee installed a malicious VS Code extension. The company removed the trojanized extension from the VS Code Marketplace, secured the compromised device, and began incident response.

“Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately,” the company said in its status update.

“Our current assessment is that the activity involved exfiltration of GitHub‑internal repositories only. The attacker’s current claims of ~3,800 repositories are directionally consistent with our investigation so far.”

GitHub later told BleepingComputer that it was investigating claims of unauthorized access to its internal repositories and added that it has no evidence that customer data stored outside the affected repos has been affected.

Threat Actor Claims

The TeamPCP hacker group claimed access to GitHub source code and “~4,000 repos of private code” on the Breached cybercrime forum, demanding at least $50,000 for the stolen data.

“As always this is not a ransom, we do not care about extorting Github, 1 buyer and we shred the data on our end, it looks like our retirement is soon so if no buyer is found we will leak it free. If you are interested, send your offers to the communications below, we are not interested in under 50k, the best offer will get it.”

Background on TeamPCP

TeamPCP has previously been linked to large‑scale supply‑chain attacks targeting developer platforms, including:

• GitHub – Trivy vulnerability scanner breach pushed infostealer via GitHub Actions
• PyPI – Backdoored Telnyx PyPI package pushes malware hidden in WAV audio
• NPM – TeamPCP deploys Iran‑targeted wiper in Kubernetes attacks
• Docker – Trivy supply‑chain attack spreads to Docker GitHub repos
• “Mini Shai‑Hulud” campaign – impacted two OpenAI employees (details)

VS Code Extensions and Past Incidents

VS Code extensions are plugins installed from the VS Code Marketplace to add features or integrate tools into Microsoft’s editor. This isn’t the first time a trojanized extension has appeared on the marketplace.

• 2023 – Extensions with 9 million installs were pulled over security risks (source). Ten more, posing as legitimate tools, infected users with the XMRig cryptominer (source).
• Late 2023 – A malicious extension with basic ransomware capabilities slipped onto the marketplace after the threat actor WhiteCobra flooded it with 24 crypto‑stealing extensions (source).
• January 2024 – Two AI‑based coding‑assistant extensions (1.5 million installs) exfiltrated data from compromised developer systems to servers in China (source).

Scale of GitHub

GitHub’s cloud‑based platform is now used by:

• Over 4 million organizations (including 90 % of the Fortune 100)
• More than 180 million developers
• Over 420 million code repositories

These figures underscore the potential impact of supply‑chain compromises affecting developer tooling.