GitHub confirms breach of 3,800 internal repos after employee installs poisoned VS Code extension

GitHub disclosed Tuesday that hackers breached 3,800 of its internal code repositories after an employee installed a malicious Visual Studio Code extension. The company detected the compromise on the same day, removing the infected extension, isolating the affected device, and rotating critical secrets. GitHub stated customer data and external code on its platform remained unaffected, though it acknowledged the breach’s severity. The hacking group TeamPCP claimed responsibility, posting stolen GitHub source code and listing around 4,000 private repositories for sale at $50,000 on the Breached forum. GitHub confirmed the figure was closer to 3,800, calling TeamPCP’s claim ‘directionally consistent’ with its findings. The group threatened to leak the data publicly if no buyer was found. TeamPCP has targeted developer tools in 2026, compromising Aqua Security’s Trivy scanner, Checkmarx’s KICS analyzer, and LiteLLM’s Python client, with downstream victims including the European Commission. The group uses typosquatting and partnerships with ransomware operators like Lapsus$ and Vect to amplify attacks. Visual Studio Code extensions pose a recurring risk, as they operate with broad permissions and access to sensitive data like credentials and build pipelines. Security experts warn that developer environments now hold strategic value comparable to enterprise infrastructure, making them prime targets for supply chain attacks. GitHub has not named the malicious extension or detailed how it reached the employee’s device. A full post-incident report is expected once the investigation concludes. The breach underscores the need for stricter controls over developer tool permissions and endpoint security.