Skip to content
Tech News
← Back to articles

GitHub confirms breach of 3,800 repos via malicious VSCode extension

2026-05-20 | original
read original get VSCode Security Extension → more articles
Why This Matters

The breach of approximately 3,800 GitHub repositories via a malicious VS Code extension highlights the ongoing cybersecurity risks associated with third-party developer tools. This incident underscores the importance of vigilant security practices for both organizations and individual developers to prevent supply chain attacks and protect sensitive code repositories.

Key Takeaways

GitHub has confirmed that roughly 3,800 internal repositories were breached after one of its employees installed a malicious VS Code extension.

The company has since removed the unnamed trojanized extension from the VS Code marketplace and has secured the compromised device.

"Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately," the company said.

"Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only. The attacker's current claims of ~3,800 repositories are directionally consistent with our investigation so far."

This comes after GitHub told BleepingComputer on Tuesday evening that it was investigating claims of unauthorized access to its internal repositories and added that it has no evidence that customer data stored outside the affected repos has been affected.

While GitHub has yet to attribute the breach, the TeamPCP hacker group claimed access to GitHub source code and "~4,000 repos of private code" on the Breached cybercrime forum on Tuesday, asking for at least $50,000 for the stolen data.

"As always this is not a ransom, We do not care about extorting Github, 1 buyer and we shred the data on our end, it looks like our retirement is soon so if no buyer is found we will leak it free," the cybercriminals said. "If you are interested. Send your offers to the communications below, we are not interested in under 50k, the best offer will get it."

​TeamPCP was previously linked to massive supply chain attacks targeting developer code platforms, including GitHub, PyPI, NPM, and Docker, and, more recently, to the "Mini Shai-Hulud" supply chain campaign(which also impacted two OpenAI employees).

TeamPCP GitHub breach claims (Matthew Maynard)

​VS Code extensions are plugins that can be installed from the VS Code Marketplace (the official store for add-ons for Microsoft's code editor) to add features or integrate tools into the editor.

... continue reading

Explore topics: github vscode extension teampcp breach source code
Related:
GitHub Confirms Breach, 4K Internal Repos Stolen
Linus Torvalds admits he has a 'love-hate relationship with AI'
Processes and Culture Top Reasons Behind Data Breaches
GitHub confirms 3,800 internal repos stolen through poisoned VS Code extension as supply chain worm hits Microsoft’s Python SDK
GitHub says hackers stole data from thousands of internal repositories

© 2026 GoKawiil

About | Editorial Policy | Contact