A poisoned VS Code extension just stole 3,800 of GitHub’s own internal repositories

GitHub is investigating unauthorized access to its internal repositories, and has confirmed that an attacker successfully exfiltrated data from roughly 3,800 of them. The intrusion arrived through a poisoned Visual Studio Code extension installed by an employee, giving the attacker access to that machine and, from it, to internal code that is supposed to live behind the company’s own walls.

The boundary GitHub is pointing to, between internal repositories and the customer-facing platform, is the only thing standing between a contained incident and a global supply-chain emergency. GitHub hosts roughly 100 million developers and a meaningful share of the open-source code the modern internet runs on. When the company says “internal”, it means its own platform code, its tooling, its operational configuration, the stuff used to build and run GitHub itself. Customer organizations, enterprises, and the public and private repos those customers store on GitHub are, according to the company, outside the blast radius of this intrusion.

That distinction is doing a lot of work in the statement the company posted to its official X account. “While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories,” it reads, “we are closely monitoring our infrastructure for follow-on activity.” The phrasing is precise, and precise phrasing in a breach disclosure usually means the investigation is still moving. “No evidence of impact” is not the same as “no impact.” Past incidents at large platforms have a habit of growing as forensics catches up to attacker activity, and the line between internal and customer-facing systems is rarely a clean physical wall. It is a set of access controls, credentials, and service accounts that have to be reasoned about one by one.

The mechanism is the part of this story that should worry developers everywhere. Visual Studio Code is the dominant code editor on the planet, used inside almost every major engineering organization. Its extension marketplace runs on community trust: anyone can publish, and most engineers install plug-ins with the same casualness they use for browser bookmarks. A poisoned extension delivered through that channel and run on a developer machine gives the attacker access to whatever that developer’s session can reach: repositories, tokens, package registries, internal services. The specific extension used in this case has not yet been named publicly, but the pattern is not new. Nx Console, a popular developer-tooling extension, suffered a similar compromise.

The threat actor calling itself TeamPCP took credit for the intrusion and is offering the dataset for sale on underground forums with a floor price of fifty thousand dollars. The group’s framing, “this is not a ransom”, is itself a signal. They are not trying to extort GitHub directly. They are treating stolen internal source code the way other criminals treat credit-card dumps: as a commodity with buyers. Whoever ends up with that 3,800-repository archive will be combing it for embedded credentials, hard-coded secrets, attack-relevant detail about GitHub’s own infrastructure, and anything that could be used to compromise downstream targets. The same group has reportedly been linked to the Mini Shai-Hulud worm that hit the durabletask package on PyPI, which underlines the actual story here: developer-supply-chain attacks have crossed from speculative scenario into operational tradecraft.

GitHub’s containment response, by its own description, was fast. The compromised device was isolated. The malicious extension was removed. The company says it has rotated critical secrets, with priority given to the highest-impact credentials, and will notify any affected customers through its established incident-response channels if the investigation widens. The Microsoft-owned subsidiary did not name the GitHub employee whose device was compromised, did not name the extension, and did not give a precise window for how long the attacker had access before detection. Those details typically appear in the longer post-incident write-up that arrives weeks after the initial disclosure.

For the rest of the industry, the practical takeaway is simpler than the threat-intelligence framing makes it sound. Every engineering organization is one careless extension install away from the same incident. Anyone who has ever installed a VS Code extension recommended by a forum thread has run the same risk that landed on a GitHub employee. The defenses that work are well known and unevenly applied: restricting extension installs to a vetted allow-list, isolating developer workstations from production credentials, rotating secrets on a fast cadence. This breach is going to push them up the priority list at companies that previously deferred them.

GitHub has not given a timeline for a full public post-mortem. Investigations of this size at platforms of this scale typically take several weeks to surface their full scope, and updates will arrive on the company’s official channels as they come. The next thing to watch for is whether the 3,800-repository dataset actually appears for sale, and at what price the floor moves once the underground market has had a few days to look at the index.