GitHub breached via poisoned VS Code extension, 3,800 repos stolen

It is an unsettling irony when the world’s largest code-hosting platform becomes the victim of its own ecosystem. GitHub confirmed on Tuesday that a threat actor exfiltrated approximately 3,800 internal repositories after compromising an employee’s device through a poisoned Visual Studio Code extension, marking one of the most significant breaches the Microsoft-owned company has ever disclosed.

The cybercrime group TeamPCP, also tracked as UNC6780, claimed credit for the attack on the Breached hacking forum, where it offered the stolen data, which it described as proprietary source code and internal organisation files, for at least $50,000. The group said it would leak the material if no buyer materialised.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!

GitHub’s investigation found that the breach began when an employee downloaded a malicious extension from the official VS Code Marketplace. That single installation was enough to give the attacker access to the employee’s device and, from there, to thousands of the company’s private repositories. GitHub said the attacker’s claim of roughly 3,800 repositories was “directionally consistent” with its own findings.

The company moved quickly once it detected the intrusion, isolating the compromised device, removing the extension, and rotating critical credentials within hours. GitHub stressed that the activity involved exfiltration of internal repositories only and that it had found no evidence of impact to customer data, enterprise accounts, or user-hosted repositories.

Still, the incident is a stark reminder of how supply chain attacks targeting developer tools can reach deep into even the most security-conscious organisations. TeamPCP has built a formidable track record in this space. The group was behind the compromise of Aqua Security’s Trivy vulnerability scanner earlier this year, an attack that ultimately led to the exfiltration of 92 GB of data from the European Commission’s AWS infrastructure. It has also targeted Checkmarx’s KICS, the LiteLLM AI gateway library, the Telnyx SDK, TanStack, and packages associated with MistralAI.

The VS Code Marketplace has become a growing vector for supply chain attacks. Unlike traditional package registries such as npm or PyPI, browser and editor extensions often receive broad system permissions by default, making them particularly attractive to attackers seeking lateral access. GitHub has not named the specific extension involved in its breach, and it remains unclear whether the extension was a newly published malicious listing or a compromised version of a legitimate tool.

The timing adds further pressure. GitHub’s breach arrives amid a broader surge in software supply chain compromises that have hit organisations across sectors. The ShinyHunters gang, which has collaborated with TeamPCP in the past, recently published stolen European Commission data. OpenAI was targeted through a compromised TanStack package. And earlier this month, researchers documented hundreds of malicious npm packages from a campaign dubbed Mini Shai-Hulud that was linked to the same threat cluster.

For GitHub, which hosts more than 100 million developers and serves as critical infrastructure for the global software industry, the breach raises uncomfortable questions about the security of the tools developers trust implicitly. If a platform built on code review and version control can be penetrated through a rogue extension, the implications for less security-mature organisations are sobering.

GitHub said its investigation is ongoing. It has engaged external forensics support and is working to determine the full scope of the data accessed. The company posted about the incident on X, reiterating that customer data remained unaffected.

TeamPCP, meanwhile, shows no signs of slowing down. From EU institutions to AI infrastructure to the backbone of open-source development itself, the group has demonstrated a consistent playbook: poison the tools that organisations depend on, and the perimeter becomes irrelevant.