GitHub Confirms Breach After Malicious VS Code Extension Exposed 3,800 Repositories

GitHub has confirmed that thousands of its internal repositories were breached after an employee installed a malicious Visual Studio Code extension. The incident adds to growing concerns around supply chain attacks targeting developer tools and software ecosystems.

According to a report from BleepingComputer, the breach affected roughly 3,800 internal repositories. GitHub says the attack currently appears limited to internal repositories and that it has not found evidence that customer repositories or external customer data were compromised.

Malicious VS Code extension triggered the breach

GitHub says the intrusion began after an employee installed a compromised VS Code extension from the Visual Studio Code Marketplace. The malicious extension reportedly allowed attackers to gain access to sensitive internal systems and repositories.

The company responded by removing the extension from the marketplace, isolating the compromised employee device, and launching an immediate incident response investigation.

GitHub stated that there is currently no evidence showing broader customer impact outside the affected internal repositories.

TeamPCP claims responsibility

The hacking group TeamPCP claimed responsibility for the breach shortly after reports surfaced online. The group allegedly said it stole nearly 4,000 private repositories from GitHub and later attempted to sell the data on a cybercrime forum.

According to the attackers, the stolen source code and internal data were offered for at least $50,000.

TeamPCP has previously been linked to multiple supply chain attacks targeting developer ecosystems, including attacks involving GitHub, Docker, PyPI, and NPM infrastructure.

The group was also reportedly connected to the Mini Shai-Hulud campaign, which allegedly impacted two employees at OpenAI.

Why malicious VS Code extensions are dangerous

VS Code extensions can deeply integrate with developer environments. While they add productivity features and integrations, they can also access source code, authentication tokens, terminal sessions, and developer credentials.

Security researchers have repeatedly warned that compromised or fake extensions can become effective malware delivery mechanisms. Attackers increasingly target developer tools because compromising one developer workstation can open access to internal repositories, cloud environments, CI/CD pipelines, and signing infrastructure.

This is not the first time dangerous extensions have appeared in the VS Code Marketplace, but the GitHub incident highlights how severe the consequences can become when a trusted internal device is compromised.

Why the GitHub breach matters

GitHub remains one of the most important software development platforms globally. The platform says it serves more than 180 million developers and over 4 million organizations, including 90% of Fortune 100 companies.

The incident comes during a period of escalating attacks against software supply chains and enterprise developer infrastructure.

In recent days, Microsoft also warned organizations about YellowKey exploitation activity and threat actors targeting Microsoft 365 and Azure environments for large-scale data theft. The company additionally announced it disrupted a malware-signing operation allegedly abused by ransomware groups to distribute trusted-looking malicious software.

The GitHub breach further demonstrates how attackers increasingly focus on trusted developer ecosystems, extensions, and software tooling to gain access to high-value corporate environments.