GitHub confirmed Tuesday that a malicious Visual Studio Code extension, installed by one of its employees, allowed a hacker group to steal approximately 3,800 internal code repositories. The extension, downloaded from Microsoft's official marketplace, was designed to exfiltrate data in the background.
"Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension," the company stated. "We removed the malicious extension version, isolated the endpoint, and began incident response immediately."
The Microsoft-owned platform emphasized that only internal repositories were affected. "Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only," the company wrote. "The attacker's current claims of ~3,800 repositories are directionally consistent with our investigation so far."
No customer data stored outside those repos was compromised, though some internal repos may contain excerpts from customer support interactions. GitHub has rotated critical credentials and continues to monitor for further activity.
Cybersecurity sources report that the group TeamPCP claimed responsibility on a cybercrime forum, allegedly seeking at least $50,000 for the stolen code. TeamPCP has been previously linked to supply chain attacks targeting GitHub, PyPI, NPM, and Docker.