GitHub Breach: Hacker Group Steals 3,800 Internal Repos via Poisoned VS Code Extension

GitHub Inc. has confirmed that hackers exfiltrated roughly 3,800 of its internal code repositories after an employee installed a malicious Visual Studio Code extension.

The breach was detected on May 19 and traced to a poisoned extension on the employee's device. GitHub stated that customer data and code stored on the platform were not affected. Critical secrets were rotated, and containment measures are in place.

The hacking group TeamPCP claimed the breach on the Breached forum, offering to sell the stolen code for $50,000. GitHub confirmed the group's claims were "directionally consistent" with its own investigation.

TeamPCP has a history of targeting developer ecosystems, having previously compromised tools from Aqua Security, Checkmarx, and Telnyx, with downstream victims including the European Commission. The group has also collaborated with ransomware operators like Lapsus$ and Vect.

Visual Studio Code extensions remain a security concern, as they run with broad permissions on developer machines, often evading standard endpoint security tools.