GitHub Breach Exposes 3,800 Internal Repos via Poisoned VS Code Plugin

Software developers are increasingly becoming bigger targets for hackers, who are now searching for ways to compromise the software supply chain in an effort to distribute malware. The latest organization to be compromised is the developer platform GitHub, which had an employee get hit by a malicious Visual Studio Code Extension.

The company announced on the social media platform X that it “detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately.” Once on the employee’s machine, the attacker was able to leverage this foothold to access roughly 3,800 internal repositories.


This attack was carried out by a group known as TeamPCP, which already has a track record of successfully targeting other developer focused platforms such as PyPI, NPM and Docker. The group is asking for $50,000 for those interested in the stolen data, and said if it doesn’t receive any offers, it will release the data for free because “it looks like our retirement is soon.”

VS Code is a popular tool for software developers because of the useful plugins available, but these plugins are also proving to be an opening for hackers with several incidents similar to this one. Hopefully Microsoft can figure out a way to balance security with the vibrant ecosystem of plugins that makes it such a popular tool. Until that happens, though, this will continue to be an issue.

For now, it seems as if this will only be affecting GitHub itself and that the company has done due its diligence to limit the damage that the intruder is capable of inflicting. However, depending on the nature of the data that was pilfered, this might end up impacting many other organizations. Developers should keep an eye on how this situation continues to unfold.