GitHub Confirms 3,800 Internal Repos Stolen Through Poisoned VS Code Extension
A hacker group stole around 3,800 internal GitHub code repositories after a GitHub employee unknowingly installed a malicious Visual Studio Code extension. The compromised extension, downloaded from Microsoft’s official marketplace, secretly exfiltrated data. GitHub detected and contained the breach, removed the extension, isolated the device, and initiated an incident response. The breach involved only internal repositories and did not impact customer data or external repositories, though some internal repos may contain customer support excerpts. As a precaution, GitHub rotated critical credentials and continues to monitor for further activity. The hacker group TeamPCP claimed responsibility on a cybercrime forum, alleging possession of around 4,000 private repositories and seeking at least $50,000, but also threatening to leak the data publicly if no buyer is found. No direct evidence of ransom demands exists. TeamPCP has previously been linked to other software supply chain attacks and known malware campaigns.
