Overview
- GitHub, which confirmed Wednesday, said roughly 3,800 internal repositories were exfiltrated after an employee installed a poisoned Visual Studio Code extension.
- The company removed the rogue extension, isolated the compromised device, rotated critical secrets, and is reviewing logs to spot any further activity.
- TeamPCP claimed the intrusion, offered about 4,000 private repositories for at least $50,000, said it was not a ransom, and warned it would leak the data if no buyer appears.
- GitHub said it has no evidence that customer repositories or external customer data were affected, and it will alert customers if investigators find any impact.
- Experts warned that VS Code extensions can read SSH keys and cloud tokens on developer machines, so teams should rotate keys and scan codebases for exposed secrets now.