Overview
- GitHub detected and contained a compromise of an employee device on Tuesday after the worker installed a poisoned Visual Studio Code extension that exfiltrated data.
- Forensic work and GitHub statements indicate roughly 3,800 internal repositories were accessed and that the company has removed the malicious extension and isolated the affected endpoint.
- GitHub says it has rotated critical secrets overnight and currently has no evidence that customer repositories or customer data stored outside internal repos were impacted.
- The hacking group TeamPCP has claimed responsibility and is offering the stolen material for sale for at least $50,000; security researchers link the group to a string of 2026 supply‑chain compromises.
- Experts warn VS Code extensions can access keys and files on developer machines so teams should rotate API keys, run secret scans on code, and enforce extension controls to limit follow‑on exploitation.