GitHub confirmed a breach where an employee installed a malicious Visual Studio Code extension, leading to the exfiltration of approximately 3,800 internal repositories. The extension was downloaded from Microsoft's official marketplace and operated in the background to steal data. GitHub detected and contained the incident immediately, rotating critical credentials and removing the malicious extension. The company stated that only internal repositories were affected, and no customer data outside those repos was compromised. Hacker group TeamPCP claimed responsibility on Breached, a cybercrime forum, asking for at least $50,000 for the stolen code, with samples available to verified buyers. TeamPCP has been linked to previous supply chain attacks and the Shai-Hulud malware campaign. GitHub continues to monitor for additional activity and will notify customers if any customer data is found to be impacted.

Key facts

• GitHub employee installed a malicious VS Code extension from Microsoft's official marketplace.
• The extension exfiltrated data in the background, leading to theft of ~3,800 internal repositories.
• Only internal repos were affected; no customer data outside those repos was compromised.
• Hacker group TeamPCP claims responsibility, demanding at least $50,000 for the stolen code.
• GitHub rotated critical credentials and removed the malicious extension immediately.