GitHub confirmed that a compromised employee device led to the exfiltration of approximately 4,000 internal repositories after the staff member inadvertently installed a malicious Visual Studio Code extension.

Key Points

• Threat actors known as TeamPCP are currently attempting to sell the stolen repository archive on the dark web for $50,000.
• GitHub has rotated critical security secrets and isolated the affected endpoint to prevent further unauthorized access to its internal systems.
• The investigation confirmed that the breach was limited to internal repositories and did not impact the broader public GitHub platform.
• TeamPCP is also responsible for recent supply-chain attacks on the npm registry, where they injected malware into over 300 legitimate packages.

Why it Matters

This incident highlights the significant risks posed by malicious extensions within developer environments and the ongoing threat to software supply-chain integrity. Organizations must prioritize endpoint security and rigorous vetting of third-party tools to prevent attackers from gaining access to sensitive proprietary source code.