GitHub Confirms 3,800 Internal Repositories Breached via Poisoned VS Code Extension
Updated
Updated · InfoWorld · May 20
GitHub Confirms 3,800 Internal Repositories Breached via Poisoned VS Code Extension
16 articles · Updated · InfoWorld · May 20
Around 3,800 GitHub internal repositories were exfiltrated after attackers compromised an employee device through a poisoned Visual Studio Code extension, in what appears to be the company’s biggest disclosed breach.
GitHub said it removed the malicious extension, isolated the endpoint and began incident response, adding that the stolen data appears limited to GitHub-internal repositories while logs and secret rotation are still being reviewed.
TeamPCP had earlier claimed it stole about 4,000 repositories and threatened to sell the code for at least $50,000 or leak it for free, posting a repository list on LimeWire.
Aikido Security said the breach may be linked to TeamPCP’s May 19 backdooring of the Nx Console extension, whose malicious version was live for 11 to 18 minutes and silently harvested credentials including GitHub, AWS and private keys.
The incident fits a broader run of supply-chain attacks on trusted developer tools, including 637 malicious npm releases tied to AntV on May 19 and 170 infected TanStack Router versions on May 11.
After breaching Microsoft and half a million devices, what is the ultimate endgame for the TeamPCP threat group?
With attackers now forging security signatures, how can we ever truly trust our software dependencies?
The 2026 GitHub Breach: How a Compromised VS Code Extension Exposed 3,800 Internal Repositories to TeamPCP
Overview
On May 19, 2026, GitHub confirmed a security breach after a company employee accidentally installed a malicious Visual Studio Code extension. This poisoned extension gave attackers unauthorized access to GitHub’s internal systems, but the compromise was contained within internal infrastructure, with no evidence of customer data being affected. GitHub responded quickly by removing the malicious extension, isolating compromised devices, and rotating exposed credentials. The incident highlights the risks of third-party developer tools and the importance of rapid response and strong security practices to protect critical software platforms.