GitHub Confirms Massive Code Theft: 3,800 Internal Repositories Compromised via Poisoned Extension
GitHub Acknowledges Largest Security Breach After 3,800 Internal Repos Exfiltrated
Microsoft's GitHub has confirmed that attackers stole code from approximately 3,800 of its internal repositories, marking what appears to be the platform's biggest security breach to date. The breach, first detected on May 19, involved a compromised employee device that allowed threat actors to exfiltrate sensitive internal code.
The company's investigation revealed that the attack began with a malicious Visual Studio Code extension, which was quickly removed after detection. GitHub's incident response team isolated the affected endpoint and began analyzing logs to assess the full scope of the breach.
Attack Timeline and Attacker Claims
Hours after GitHub announced it was investigating "unauthorized access," the company's X account confirmed the worst. "Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious version, isolated the endpoint, and began incident response immediately," GitHub stated.
The attacker group, known as TeamPCP, claimed responsibility for the breach on May 19, posting a list of compromised repositories on the LimeWire content platform. The group demanded a payment of at least $50,000 to avoid leaking the stolen code. "If no buyer is found we will leak it free," the group warned.
Background: The Poisoned Extension and Broader Impact
GitHub has not yet named the specific VS Code extension that was compromised, but security researchers at Akido Security have linked the attack to a separate TeamPCP campaign on the same day. That campaign targeted the popular Nx Console VS Code extension, backdooring it to steal credentials.
"The malicious version collected credentials silently from the moment a developer opened any workspace. The community, including Aikido Intel, caught it quickly, with the version pulled within 11 minutes," wrote Shaun Brown, technical product marketer at Akido Security.
The compromised Nx Console extension version 18.95.0 was active for approximately 18 minutes before it was removed. According to the maintainers' internal analytics, thousands of developers were affected. Attackers specifically targeted credential files from Kubernetes, npm, AWS, 1Password, private keys, and GitHub itself.
Further investigation revealed that the same campaign led to a major supply chain compromise of the npm open-source registry. Attackers published 637 malicious versions across the namespace of the AntV enterprise data visualization tool within just 22 minutes. This follows a May 11 attack targeting the TanStack Router package ecosystem.
What This Means
This breach underscores the vulnerability of developer tools and the cascading risks of supply chain attacks. The use of a poisoned VS Code extension demonstrates how attackers can exploit trusted development environments to gain access to sensitive internal repositories, potentially compromising the intellectual property of one of the world's largest software platforms.
Organizations should immediately review their use of third-party extensions, especially in Visual Studio Code, and ensure that all extensions are obtained from verified sources. GitHubs incident response included secret rotation and log analysis, but the incident highlights the need for constant vigilance against credential theft and unauthorized access.
GitHub has promised to publish a full incident report once investigations are complete. In the meantime, developers and enterprises should reassess their security practices for internal code repositories and third-party extensions.