GitHub's Internal Repos Breached Via Employee's Use of Malicious VS Code Extension

Source: Slashdot

Incident Overview

Longtime Slashdot reader Himmy32 reports that GitHub announced on X that its internal repositories were breached through a compromised VS Code extension on an employee’s workstation. Bleeping Computer linked the attack to the threat group TeamPCP, which has recently targeted Checkmarx, Trivy, SAP, TanStack, and Bitwarden. The group appears to be attempting to sell the stolen code on cybercrime forums.

Details of the Attack

• The malicious VS Code extension was installed on an employee’s device.
• GitHub detected and contained the compromise, removed the malicious extension version, isolated the endpoint, and began incident response immediately.
• The attacker exfiltrated GitHub‑internal repositories only.
• The attacker’s claim of roughly 3,800 repositories aligns with GitHub’s investigation so far.

GitHub’s Response

“Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately,” the company said.
“Our current assessment is that the activity involved exfiltration of GitHub‑internal repositories only. The attacker’s current claims of ~3,800 repositories are directionally consistent with our investigation so far.”

Impact

• GitHub states there is no evidence of impact to customer information stored outside of its internal repositories.
• The company has not disclosed whether it is in contact with the hackers or if a ransom demand has been received.