GitHub confirms breach of 3,800 internal repositories via malicious VS Code extension

GitHub publicly confirmed on June 16 that a security breach exposed approximately 3,800 internal code repositories after an employee installed a malicious Visual Studio Code (VS Code) extension on their device ^{[1, 2]}. The attack was detected and contained the previous day, June 15, when GitHub removed the poisoned VS Code extension from the Marketplace and isolated the compromised employee endpoint, beginning immediate incident response efforts ^[1].

GitHub stated the breach involved the exfiltration of internal source code repositories only, with no evidence yet that customer data outside of those affected repositories was accessed or exposed ^{[1, 2]}. The initial investigation aligns with hacker claims regarding the number of repositories breached. "Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only. The attacker's current claims of ~3,800 repositories are directionally consistent with our investigation so far," GitHub said ^[1].

The attack was carried out via a trojanized VS Code extension, a tactic that has been used in the past to steal developer credentials and data, though GitHub and sources did not name the specific extension or attacker ^{[1, 2]}. The hacker group TeamPCP claimed responsibility on the Breached cybercrime forum, stating they accessed roughly 4,000 private repositories and posted a ransom demand of at least $50,000 ^{[1, 2]}.

TeamPCP said they do not intend to ransom GitHub, declaring, "As always this is not a ransom, We do not care about extorting Github, 1 buyer and we shred the data on our end, it looks like our retirement is soon so if no buyer is found we will leak it free." They added, "If you are interested. Send your offers to the communications below, we are not interested in under 50k, the best offer will get it." ^[1]

GitHub has rotated the highest-impact credentials exposed by the breach and continues active monitoring and incident response ^[2]. No further details on the attacker or method have been disclosed. The removal of the malicious VS Code extension from the Marketplace aims to prevent further infections or compromise ^{[1, 2]}.

The detection on June 15 and public confirmation on June 16 mark the key recent milestones. GitHub remains engaged in a comprehensive investigation while working to secure its internal systems ^{[1, 2]}.