GitHub has confirmed that hackers breached its systems and stole data from about 3,800 internal code repositories following a compromise involving a malicious Visual Studio Code extension.
The Microsoft-owned developer platform disclosed the incident in a series of posts on X, stating that it had “detected and contained a compromise of an employee device involving a poisoned VS Code extension.”
According to the company, there is currently “no evidence of impact to customer information stored outside of GitHub’s internal repositories,” although investigations into the breach are still ongoing.
The attack highlights growing cybersecurity concerns surrounding software supply chain attacks, where hackers target widely used developer tools, plugins, and open-source projects to gain access to large numbers of systems simultaneously.
GitHub did not disclose the name of the compromised extension used in the attack.
Reports by The Record and Bleeping Computer identified a hacking group known as TeamPCP as claiming responsibility for the breach. The group is reportedly attempting to sell the stolen data on a cybercrime forum.
GitHub has not publicly confirmed communication with the hackers or whether any ransom demand was made following the breach.
The hacking group has previously been linked to another major cyberattack involving the European Commission, where more than 90 gigabytes of data were reportedly stolen from the organisation’s cloud storage systems.
That earlier incident allegedly involved malware distributed through Trivy, a vulnerability scanning tool, allowing attackers to steal cloud credentials and compromise downstream users.
The latest breach also comes amid broader concerns about attacks targeting developer ecosystems. Recently, OpenAI was reportedly affected by a separate attack involving Tanstack, a platform used by web developers, where hackers distributed malware through compromised updates to steal passwords and authentication tokens.
