GitHub has recently confirmed a breach involving unauthorized access to its internal repositories. This incident was detected after a compromised employee device was infected via a malicious Visual Studio Code extension, as disclosed by the company on May 20, 2026.
Immediate Response and Containment
The code hosting platform, owned by Microsoft, swiftly identified and contained the breach. The culprit was a tainted VS Code extension used to infiltrate an employee’s device. GitHub promptly removed the harmful extension, isolated the compromised device, and activated its incident response protocols.
According to GitHub’s investigation, the attacker managed to exfiltrate data solely from internal repositories, with no current evidence pointing to an impact on public or customer-hosted repositories.
Attacker Claims and Security Measures
A threat actor known as TeamPCP has taken responsibility for the breach, claiming to have accessed around 3,800 repositories. These claims align with GitHub’s ongoing investigation findings. The group is allegedly selling the stolen data on cybercrime forums, seeking bids over $50,000, and claims to have compromised about 4,000 repositories linked to GitHub’s main platform.
Following the initial detection, GitHub took several steps to mitigate further risks. These included rotating critical secrets and credentials, isolating the affected employee’s device, and removing the malicious extension. Continuous log analysis was initiated to track any further unauthorized activity.
Implications for Developer Security
This incident underscores the rising threat of supply chain attacks targeting developer tools. Malicious extensions, like the one used in this attack, can evade traditional security measures and silently extract sensitive information.
GitHub continues to evaluate logs, ensure complete secret rotation, and monitor for any subsequent unauthorized activity. The company has committed to taking further remedial actions as necessary and plans to release a comprehensive incident report once the investigation concludes.
As of now, GitHub has not reported any exposure of customer data. Stay updated by following us on Google News, LinkedIn, and X for the latest developments.
