GitHub internal repositories breached through malicious VS Code extension

Wednesday 20 - 13:06

By: Dakir Madiha

GitHub internal repositories breached through malicious VS Code extension

GitHub has confirmed that nearly 3,800 internal repositories were compromised after an employee installed a malicious Visual Studio Code extension, exposing one of the most serious supply chain security incidents to affect a major software development platform in recent years.

The intrusion was claimed by TeamPCP, a hacking group linked to a broader campaign targeting open source ecosystems and developer infrastructure since early 2026. The attackers allegedly placed GitHub’s internal source code up for sale on a cybercrime forum for at least $50,000. Screenshots circulating online showed the group threatening to release the stolen material publicly if no buyer emerged.

GitHub said it detected and contained the breach on Monday after identifying the compromised extension. The company isolated the affected workstation, revoked sensitive credentials, and removed the malicious plugin. According to the company’s preliminary investigation, the attackers gained access only to internal repositories and there is currently no evidence that customer repositories or enterprise data outside GitHub’s internal systems were affected.

The attack vector involved a compromised extension distributed through the Visual Studio Code marketplace. Security researchers believe the malware enabled attackers to steal authentication tokens, SSH keys, cloud credentials, and other sensitive secrets stored on the developer’s machine. Reports linked the incident to recent compromises involving the Nx Console extension, although GitHub did not officially confirm the plugin involved in the intrusion.

The incident forms part of a wider offensive attributed to TeamPCP against software supply chains. Since March 2026, the group has reportedly targeted several development tools and package ecosystems, including projects linked to Aqua Security, Checkmarx, Microsoft, and npm repositories. The campaign relies on self-propagating malware designed to harvest cloud credentials, password vault contents, and SSH keys from infected environments.

Cybersecurity analysts say the breach highlights growing risks tied to third-party development tools and extensions integrated into modern software engineering workflows. The attack also underscores the increasing importance of securing software supply chains as global companies rely heavily on open source ecosystems and cloud-based development infrastructure.