Investigating unauthorized access to GitHub’s internal repositories

Source: GitHub Blog

Incident Overview

On Monday May 18, we detected and contained a compromise of an employee device involving a poisoned VS Code extension published by a third party. We removed the malicious extension version, isolated the endpoint, and began incident response immediately.

Impact Assessment

Our current assessment is that the activity involved exfiltration of GitHub‑internal repositories only. The attacker’s claim of roughly 3,800 repositories is directionally consistent with our investigation so far.

We have no evidence of impact to customer information stored outside of GitHub’s internal repositories, such as customers’ own enterprises, organizations, and repositories. Some GitHub internal repositories contain information from customers (e.g., excerpts of support interactions). If any impact is discovered, we will notify customers via established incident‑response and notification channels.

Response Actions

We moved quickly to reduce risk. Critical secrets were rotated on Monday and into Tuesday, with the highest‑impact credentials prioritized first.

We continue to analyze logs, validate secret rotation, and monitor our infrastructure for any follow‑on activity. Additional actions will be taken as the investigation warrants.

Next Steps

We will publish a fuller report once the investigation is complete.