GitHub confirms hackers stole data from 3,800 internal repositories

GitHub disclosed on May 19 that hackers accessed around 3,800 internal code repositories after compromising an employee device through a poisoned Visual Studio Code extension ^{[1, 2]}. The company confirmed the breach involved unauthorized access but said there is no evidence customer data stored outside these internal repos was affected ^{[1, 2]}.

GitHub said it detected the attack and contained the compromise in May after identifying the infected software supply chain tool on an employee device ^[1]. A cybersecurity group calling itself TeamPCP has claimed responsibility for the breach and is reportedly selling the stolen data on cybercrime forums ^[1]. This group previously targeted the European Commission by exploiting a similar vulnerability in software supply chains ^[1].

In an official statement, GitHub said, "We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories ... we are closely monitoring our infrastructure for follow-on activity" ^[2].

GitHub continues to monitor its systems for any follow-on activity or further breaches as the investigation remains active ^[2]. The company has not detailed the specific repositories impacted or estimated the total volume of data stolen.

The breach highlights ongoing risks from software supply chain attacks that can target employee devices used to access sensitive systems. Authorities and security firms are tracking the TeamPCP hacking group after its previous high-profile campaign against European institutions.

GitHub’s investigation and monitoring are ongoing with no additional public updates released as of today.