Main points
- GitHub suffered a massive hack of about 3,800 repositories due to a malicious VSCode extension installed by one of its employees.
- The incident highlights the importance of caution when installing third-party add-ons, as cybercriminals increasingly use attacks on the software supply chain.
GitHub hacked / Channel 24 collage
GitHub has officially confirmed a serious security incident that compromised thousands of internal repositories. The leak of confidential information was caused by the carelessness of one of the company's employees, which led to unauthorized access by external attackers.
GitHub, a key tool for millions of programmers around the world, has suffered an internal security incident. According to BleepingComputer, the company has officially confirmed that a significant number of its projects were accessed without authorization.
How did one click jeopardize thousands of projects?
The incident was caused by an employee who inadvertently installed a malicious extension for the popular code editor Visual Studio Code (VS Code). Such programs are usually designed to improve the functionality of the program and simplify work, but in this case it turned out to be a Trojan horse. Once installed, the malicious add-on likely gave attackers access to the company's internal systems.
The cyber incident resulted in the compromise of around 3,800 internal repositories. A repository is essentially a storage facility where source code, documentation, and all files related to a particular project are stored. While the company did not specify what information was contained in these repositories, the breach of this many internal projects is a serious security threat.
The company responds
The company responded to the threat immediately upon discovery. The malicious extension, whose name is not being disclosed, was removed from the VS Code marketplace and the employee's device was quarantined.
Yesterday, we discovered and contained a compromise of an employee's device related to an infected VS Code extension. We removed the malicious version of the extension, isolated the endpoint, and immediately initiated incident response,
– officially commented on GitHub.
According to preliminary investigation data, the attack only affected internal GitHub repositories. There is no evidence yet that customer data stored outside of the affected repositories was affected.
Our current assessment is that the activity was limited to exfiltration of internal GitHub repositories. The attackers' current claims of approximately 3,800 repositories targeted are consistent with our investigation at this time,
– added representatives of the platform.
Who is behind the attack?
The hacking group TeamPCP claimed responsibility for the breach. On the well-known cybercrime forum Breached, they announced access to the GitHub code and offered to buy the stolen data for at least $50,000. The attackers emphasized that they did not intend to blackmail the company.
As always, this is not a ransom, we are not interested in extorting money from Github. One buyer – and we will destroy the data from our side. It seems that our retirement is coming soon, so if a buyer is not found, we will publish it for free,
– the cybercriminals said, adding that the best offer will receive full access to the information.
Hacker statement / Screenshot BleepingComputer
This is not the first time that the TeamPCP group has appeared in cybersecurity reports:
- It has previously been linked to massive supply chain attacks targeting platforms such as PyPI, NPM, and Docker.
- They are also involved in the “Mini Shai-Hulud” campaign, which even affected two OpenAI employees.
What's next?
GitHub is currently actively working to mitigate risks. The company's specialists have rotated critical private keys, paying special attention to those credentials that have the greatest impact on the system.
The process of analyzing logs and monitoring is ongoing to prevent any further hacker activity. A full incident report will be published once the investigation is complete.
Why should we pay attention to this?
This incident has once again raised concerns about the security of extensions in the VS Code Marketplace. According to our analysis, this is not the first time that malware has been distributed through the official Microsoft store.
- Last year, extensions with 9 million installs were removed from the platform due to security threats, and another 10 apps were secretly installed by XMRig cryptominers.
- In January 2024, two extensions positioned as AI-based code writing assistants stole developers' data and sent it to servers in China.
Today, GitHub's cloud platform is a critical infrastructure for the world, used by over 4 million organizations, including 90 percent of the Fortune 100, and over 180 million developers working on over 420 million repositories.
The case as a whole is a disturbing reminder of how vulnerable even the infrastructure of tech giants can be. The attack via a malicious extension for a widely used development tool like VS Code demonstrates one of the most dangerous attack vectors – the so-called software supply chain attack. Attackers are increasingly targeting not the companies themselves, but the tools their employees use.
This is an important lesson for the entire IT industry and for each individual developer. Extreme caution should be exercised when installing any third-party add-ons and extensions, even if they come from official stores. Thorough verification, minimizing the number of installed tools, and increasing cybersecurity awareness among staff are critical to protecting against similar incidents in the future.
You will also be interested to remember: what is the current security situation on the market?
Attacks via browser extensions and code editors have become common. Attackers often disguise malicious code as useful tools, using popular themes such as artificial intelligence to lure users. For example, a campaign of over 30 fake extensions for Google Chrome that pretended to be AI assistants was previously uncovered. These extensions, installed by over 300,000 users, were actually stealing the content of visited pages and even intercepting Gmail correspondence.
The danger is that even highly rated extensions with millions of downloads can pose a threat. For example, the popular Urban VPN Proxy tool, after one of its updates, began secretly collecting users’ conversations with AI chatbots like ChatGPT and Gemini and transferring them to a third-party company. In other cases, vulnerabilities in extensions lead to direct financial losses, as happened to users of the Trust Wallet crypto wallet, where $7 million was stolen due to a problem in the browser version.
Such attacks pose a particular danger to IT companies and developers, as compromising their accounts can lead to code leaks. The value of such information is demonstrated by the case of Anthropic, which accidentally published hundreds of thousands of lines of code for its Claude Code tool, which gave competitors and researchers a unique opportunity to look into the internal logic of the product. Understanding this, attackers are targeting developers, even using the GitHub platform itself.
In one campaign, hackers created fake pages for popular applications on GitHub to trick macOS users into downloading a ransomware capable of stealing passwords and crypto wallet data.