GitHub announced Wednesday it is investigating unauthorized access to its internal repositories following the compromise of an employee’s device. The developer platform said it detected and contained the breach on Tuesday, which was initiated by a poisoned VS Code extension.
GitHub stated it has removed the malicious extension and isolated the endpoint. It says there is no evidence of customer data being accessed, but the investigation remains ongoing.
The hacking group TeamPCP has claimed responsibility and is attempting to sell what they say are 4,000 private code repositories related to GitHub’s core platform and internal organizations.
Binance founder Changpeng Zhao urged developers to double-check and rotate any API keys stored in private repositories. This incident follows a supply-chain attack on Grafana Labs and comes after the public disclosure of a critical GitHub vulnerability, CVE-2026-3854, which allowed authenticated users to execute arbitrary commands on GitHub servers, exposing millions of repos.