Particle.news
Download on the App Store

GitHub Confirms Breach of 3,800 Internal Repositories via Malicious VS Code Extension

Security teams warn the stolen internal code could drive follow-on supply chain attacks.

Overview

  • GitHub, which confirmed Wednesday, said roughly 3,800 internal repositories were exfiltrated after an employee installed a poisoned Visual Studio Code extension.
  • The company removed the rogue extension, isolated the compromised device, rotated critical secrets, and is reviewing logs to spot any further activity.
  • TeamPCP claimed the intrusion, offered about 4,000 private repositories for at least $50,000, said it was not a ransom, and warned it would leak the data if no buyer appears.
  • GitHub said it has no evidence that customer repositories or external customer data were affected, and it will alert customers if investigators find any impact.
  • Experts warned that VS Code extensions can read SSH keys and cloud tokens on developer machines, so teams should rotate keys and scan codebases for exposed secrets now.