GitHub has confirmed a significant security breach that allowed hackers to steal data from approximately 3,800 of its internal code repositories. The attack was carried out through a compromised Visual Studio Code extension that infected an employee’s device, giving attackers access to the company’s internal systems.
The Microsoft-owned developer platform announced on X that it has “no evidence of impact to customer information stored outside of GitHub’s internal repositories,” though the investigation remains ongoing. The company said it “detected and contained a compromise of an employee device involving a poisoned VS Code extension.”
This breach highlights a growing trend of cybercriminals targeting the software development ecosystem. Hackers are increasingly focusing on popular open source projects and coding tools because compromising them allows access to thousands of developers’ machines simultaneously. By targeting widely-used extensions and development tools, attackers can magnify their impact exponentially compared to traditional attacks on individual systems.
The hacking group TeamPCP has claimed responsibility for the GitHub breach and is reportedly selling the stolen data on cybercrime forums, according to security publications The Record and Bleeping Computer. GitHub has not disclosed which specific VS Code extension was compromised or whether the hackers have made any ransom demands.
TeamPCP has a track record of high-profile attacks on technology organizations. The group previously claimed responsibility for breaching the European Commission, stealing over 90 gigabytes of data from the EU’s cloud storage systems. That attack followed a similar pattern – the hackers first compromised Trivy, a vulnerability scanning tool, then used it to distribute malware to downstream users and steal cloud access credentials.
The GitHub incident is part of a broader wave of supply chain attacks targeting the developer community:
- OpenAI was recently targeted through a breach of TanStack, a web development platform
- Hackers pushed malicious updates through TanStack to steal passwords and authentication tokens
- Multiple open source projects have been compromised to distribute malware to developers
These attacks are particularly concerning because they target the tools and platforms that millions of developers rely on daily. When a popular extension or development tool is compromised, it can potentially affect every developer who uses it, creating a massive attack surface for cybercriminals.
The focus on developer tools also reflects the high value of the data these platforms contain. Code repositories often include proprietary algorithms, API keys, database credentials, and other sensitive information that can be valuable for further attacks or sold on underground markets.
GitHub’s response appears to have been swift, with the company detecting and containing the breach relatively quickly. However, the incident raises questions about the security of the broader development ecosystem and whether current safeguards are sufficient to protect against increasingly sophisticated supply chain attacks.