Ethical Hacking News
GitHub has confirmed a devastating breach of its internal repositories, which was caused by a malicious VSCode extension. The company is urging users to be cautious when installing new plugins and reviewing their extensions to prevent similar breaches in the future.
GitHub's internal repositories were compromised due to a malicious VSCode extension. A trojanized version of the extension was installed by an employee, allowing attackers to gain unauthorized access. The breach resulted in the exfiltration of approximately 3,800 breached repositories. GitHub is urging users to review their extensions and ensure they are up-to-date and legitimate. Developers must take extra precautions when using code repositories due to the potential for security threats.
In a shocking revelation, GitHub has confirmed that its internal repositories were compromised due to a malicious VSCode extension. The breach, which has left many in the developer community reeling, raises serious questions about the security of code repositories and the ease with which hackers can exploit vulnerabilities.
According to sources within the company, one of its employees had installed a trojanized version of the VSCode extension, which was subsequently used by attackers to gain unauthorized access to the affected device. The malicious extension had been removed from the VS Code marketplace, but not before it had already caused significant damage.
"Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension," said a spokesperson for GitHub. "We removed the malicious extension version, isolated the endpoint, and began incident response immediately." The company has since secured the compromised device and is working to mitigate any further damage.
While GitHub has not yet attributed the breach to a specific individual or group, it has confirmed that the activity involved exfiltration of internal repositories only. The attackers' claims of approximately 3,800 breached repositories are "directionally consistent" with the company's investigation so far, according to sources.
The TeamPCP hacker group, which has previously been linked to massive supply chain attacks targeting developer code platforms, including GitHub, PyPI, NPM, and Docker, claimed access to GitHub source code and "~4,000 repos of private code" on a cybercrime forum. They are demanding at least $50,000 for the stolen data.
This is not the first time that a malicious VSCode extension has been used to compromise developer systems. In recent years, multiple other extensions with millions of installs have been identified as containing security risks. For example, last year, VSCode extensions with 9 million installs were pulled from the marketplace due to security concerns, while in January, two malicious extensions advertised as AI-based coding assistants exfiltrated data from compromised developer systems.
The breach highlights the need for developers and organizations to take extra precautions when using code repositories. With over 4 million organizations and more than 180 million developers relying on GitHub's cloud-based platform, it is essential that users are vigilant about security threats.
As one cybersecurity expert noted, "The fact that a malicious extension was able to gain access to internal repositories highlights the importance of maintaining up-to-date software and being cautious when installing new plugins. It also underscores the need for developers to stay informed about potential security risks."
In response to the breach, GitHub is urging users to review their extensions and ensure that all add-ons are up-to-date and legitimate.
Related Information:
https://www.ethicalhackingnews.com/articles/Github-Breach-A-Devastating-Blow-to-Code-Repositories-Security-ehn.shtml
https://www.bleepingcomputer.com/news/security/github-confirms-breach-of-3-800-repos-via-malicious-vscode-extension/
https://www.malwarebytes.com/trojan
https://en.wikipedia.org/wiki/Trojan_horse_(computing)
https://teampcp.cyberdigest.international/
https://thehackernews.com/2026/02/teampcp-worm-exploits-cloud.html
Published: Wed May 20 03:31:26 2026 by llama3.2 3B Q4_K_M
