GitHub breach exposes 3,800 repos after employee installs poisoned VS Code extension

GitHub breached via poisoned VS Code extension, 3,800 repos stolen

The Microsoft-owned platform says no customer data was affected, but the breach underscores how a single compromised developer tool can unlock an entire organisation's codebase It is an unsettling irony when the world's largest code-hosting platform becomes the victim of its own ecosystem. GitHub confirmed on Tuesday that a threat actor exfiltrated approximately 3,800 internal repositories after compromising an employee's device through a poisoned Visual Studio Code extension, marking one of the most significant breaches the Microsoft-owned company has ever disclosed. The cybercrime group TeamPCP, also tracked as UNC6780, claimed credit for the attack on the Breached hacking forum, where it offered the stolen data, which it described as proprietary source code and internal organisation files, for at least $50,000. The group said it would leak the material if no buyer materialised. GitHub's investigation found that the breach began when an employee downloaded a malicious extension from the official VS Code Marketplace. That single installation was enough to give the attacker access to the employee's device and, from there, to thousands of the company's private repositories. GitHub said the attacker's claim of roughly 3,800 repositories was "directionally consistent" with its own findings. The company moved quickly once it detected the intrusion, isolating the compromised device, removing the extension, and rotating critical credentials within hours. GitHub stressed that the activity involved exfiltration of internal repositories only and that it had found no evidence of impact to customer data, enterprise accounts, or user-hosted repositories. Still, the incident is a stark reminder of how supply chain attacks targeting developer tools can reach deep into even the most security-conscious organisations. TeamPCP has built a formidable track record in this space. The group was behind the compromise of Aqua Security's Trivy vulnerability scanner earlier this year, an attack that ultimately led to the exfiltration of 92 GB of data from the European Commission's AWS infrastructure. It has also targeted Checkmarx's KICS, the LiteLLM AI gateway library, the Telnyx SDK, TanStack, and packages associated with MistralAI. The VS Code Marketplace has become a growing vector for supply chain attacks. Unlike traditional package registries such as npm or PyPI, browser and editor extensions often receive broad system permissions by default, making them particularly attractive to attackers seeking lateral access. GitHub has not named the specific extension involved in its breach, and it remains unclear whether the extension was a newly published malicious listing or a compromised version of a legitimate tool. The timing adds further pressure. GitHub's breach arrives amid a broader surge in software supply chain compromises that have hit organisations across sectors. The ShinyHunters gang, which has collaborated with TeamPCP in the past, recently published stolen European Commission data. OpenAI was targeted through a compromised TanStack package. And earlier this month, researchers documented hundreds of malicious npm packages from a campaign dubbed Mini Shai-Hulud that was linked to the same threat cluster. For GitHub, which hosts more than 100 million developers and serves as critical infrastructure for the global software industry, the breach raises uncomfortable questions about the security of the tools developers trust implicitly. If a platform built on code review and version control can be penetrated through a rogue extension, the implications for less security-mature organisations are sobering. GitHub said its investigation is ongoing. It has engaged external forensics support and is working to determine the full scope of the data accessed. The company posted about the incident on X, reiterating that customer data remained unaffected. TeamPCP, meanwhile, shows no signs of slowing down. From EU institutions to AI infrastructure to the backbone of open-source development itself, the group has demonstrated a consistent playbook: poison the tools that organisations depend on, and the perimeter becomes irrelevant.

GitHub confirms 3,800 internal repos stolen through poisoned VS Code extension as supply chain worm hits Microsoft's Python SDK

GitHub confirmed on May 20 that a poisoned VS Code extension installed on an employee's device gave attackers access to roughly 3,800 internal repositories at the Microsoft-owned code storage and authorship platform. The threat group TeamPCP, formally tracked by Google Threat Intelligence Group as UNC6780, claimed responsibility and is advertising the stolen repositories for sale starting at $50,000. GitHub's assessment: the attacker's claim is "directionally consistent" with the investigation so far. Trend Micro, StepSecurity, and Snyk have formally tracked TeamPCP across at least seven waves of the Mini Shai-Hulud supply chain worm since March. The GitHub breach did not land in isolation. It arrived the same day a new Mini Shai-Hulud wave forged valid cryptographic provenance on 639 malicious npm package versions, one day after attackers compromised a VS Code extension with 2.2 million installs, the same day Wiz discovered TeamPCP had compromised Microsoft's durabletask Python SDK on PyPI, and the same morning Verizon's 2026 DBIR revealed that 67% of employees access AI tools through non-corporate accounts. Five supply chain surfaces failed in 48 hours. Two more AI-agent attack classes were disclosed the same month that completed the grid. One group connects at least three of them. "Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately," GitHub posted in a five-post thread on X on May 20. "Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only. [Emphasis added by VentureBeat] The attacker's current claims of ~3,800 repositories are directionally consistent with our investigation so far." GitHub added that critical secrets were rotated overnight with the highest-impact credentials prioritized first. GitHub's confirmation narrows the attack vector to a single employee device but leaves the blast radius expanding. The company has not named the specific extension. Internal repositories contain infrastructure configurations, deployment scripts, staging credentials, and internal API schemas. Source code access at that level is not a data breach. It is an infrastructure intelligence leak. Dark Web Informer reported that TeamPCP's listing appeared on a hacking forum hours before GitHub's initial disclosure, advertising around 4,000 private repositories. Hackmanac independently confirmed the listing. An X account linked to TeamPCP, xploitrsturtle2, posted after GitHub's confirmation: "GitHub knew for hours, they delayed telling you and they won't be honest in the future. What an amazing run, it's been an honor to play around with the cats over the past few months." Google Threat Intelligence Group formally tracks TeamPCP as UNC6780, a financially motivated threat actor specializing in supply chain attacks targeting open-source security utilities and AI middleware. Trend Micro tracked "at least seven confirmed waves" spanning Trivy (March 2026), Checkmarx KICS, LiteLLM, elementary-data, Bitwarden CLI, TanStack (May 11), and Mistral AI (May 12). StepSecurity, Snyk, and Trend Micro assess high confidence on the Trivy, Bitwarden CLI, and TanStack waves based on toolchain overlap. GitHub's May 20 confirmation that the breach came through a poisoned VS Code extension aligns with the exact attack surface TeamPCP weaponized throughout 2026. Binance co-founder CZ posted immediately: "If you have ANY private repos with plain text secrets or sensitive documents/architectures, immediately rotate your secrets." Mike Riemer, CTO of Ivanti, told VentureBeat in an exclusive interview that Azure's honeypot network now shows known vulnerabilities exploited in under 90 seconds. Stolen credentials shorten the recon phase that precedes exploitation. Every GitHub-side secret that reaches a buyer accelerates whichever attack path that buyer was already running. Hours before GitHub's disclosure, Endor Labs detected 42 malicious npm packages published between 01:39 and 02:06 UTC on May 19. Socket's broader tracking put the full wave at 639 malicious versions across 323 packages inside Alibaba's @antv data visualization ecosystem, roughly 16 million weekly downloads. This wave introduced provenance forgery. The worm now calls Fulcio and Rekor at runtime to generate valid Sigstore signing certificates for every package it propagates to. Provenance tooling shows a green badge. The build chain belongs to the attacker. "The attestation proves where the package was built. It does not prove the build was authorized," Endor Labs stated. Peyton Kennedy, senior security researcher at Endor Labs, told VentureBeat that "TanStack had the right setup on paper: OIDC trusted publishing, signed provenance, 2FA on every maintainer account. The attack worked anyway. Each wave has picked a higher-download target and introduced a more technically interesting access vector." Late on May 12, vx-underground reported that TeamPCP open-sourced the fully weaponized Shai-Hulud worm code. Copycat variants have already appeared, complicating attribution. Kennedy provided VentureBeat a first-pass detection check: run find . -name 'router_init.js' -size +1M across project directories and grep for the hash 79ac49eedf774dd4b0cfa308722bc463cfe5885c in package-lock.json. If either returns a hit, isolate and image the machine before revoking any tokens. The worm's destructive daemon triggers on revocation. Also on May 19, threat actors compromised the popular GitHub Actions workflow actions-cool/issues-helper by redirecting every existing tag in the repository to an imposter commit that does not appear in the action's normal commit history. "That commit contains malicious code that exfiltrates credentials from CI/CD pipelines that run the action," StepSecurity researcher Varun Sharma said. GitHub has since disabled access to the repository. The exfiltration domain (t.m-kosche[.]com) matches the @antv Mini Shai-Hulud wave, tying the two clusters together. Only workflows pinned to a known-good full commit SHA were unaffected. Hours after the @antv wave, Wiz detected that TeamPCP had compromised durabletask, the official Microsoft Python client for the Durable Task workflow execution framework. Three malicious versions (1.4.1, 1.4.2, and 1.4.3) were published to PyPI within a 35-minute window on May 19. The attack chain was direct: a GitHub account compromised in a previous TeamPCP operation still had access to the microsoft/durabletask-python repository. The attacker dumped GitHub Secrets, extracted a PyPI publishing token, and pushed the infected releases directly. PyPI quarantined all three versions. StepSecurity's analysis found the payload downloads a 28 KB dropper (rope.pyz) that steals credentials from AWS, Azure, GCP, Kubernetes, and over 90 developer tool configurations, then spreads laterally through cloud infrastructure. The payload skips systems with a Russian locale. The durabletask package averages over 400,000 monthly downloads. On May 18, attackers published a compromised version of the Nx Console VS Code extension, installed more than 2.2 million times. The malicious version harvested tokens from GitHub, npm, AWS, HashiCorp Vault, Kubernetes, and 1Password, and specifically targeted Claude Code configuration files under ~/.claude/settings.json. The Nx team removed it within 11 minutes. Any developer who opened a workspace between 12:36 and 12:47 UTC ran the credential stealer. One day later, GitHub confirmed that a different poisoned VS Code extension was the entry point for the 3,800-repo breach of its own internal infrastructure. As one X user framed it: "Microsoft's GitHub was compromised when a Microsoft developer using Microsoft VSCode installed a rogue extension from Microsoft's VSCode extension library, which is moderated and hosted by Microsoft." The entire attack chain stayed inside one vendor's ecosystem. Developers have been reporting malicious VS Code extensions to Microsoft for years. A publicly documented complaint from December 2024 asked Microsoft to fix the marketplace. Eighteen months later, the marketplace was the entry point for a breach of GitHub itself. Adversa AI's TrustFall research, published May 7, tested Claude Code, Gemini CLI, Cursor CLI, and Copilot CLI. "A repository can ship a configuration that auto-approves and immediately launches an MCP server, no tool call from the agent is required," researcher Rony Utevsky told Dark Reading. All four default to "Yes/Trust." The Managed scope configuration that could lock this down is "rarely used." When Claude Code runs headless through GitHub Actions, the trust dialog never renders. Aonan Guan, alongside Johns Hopkins colleagues Zhengyu Liu and Gavin Zhong, typed a malicious instruction into a PR title and watched Anthropic's Claude Code Security Review action post its own API key as a comment. The same prompt injection worked against Gemini CLI Action and GitHub's Copilot Agent. Anthropic classified it CVSS 9.4 Critical. Microsoft disclosed CVE-2026-26030 and CVE-2026-25592 on May 7, both critical in Semantic Kernel. The Python SDK flaw let a crafted prompt achieve host-level remote code execution. The .NET SDK flaw turned an accidentally exposed file-transfer helper into a tool the AI model could invoke, enabling sandbox escape from Azure Container Apps. CrowdStrike's 2026 Financial Services Threat Landscape Report, released May 14, quantified identity theft scaling outside developer toolchains. DPRK-nexus actors stole $2.02 billion in digital assets in 2025, a 51% year-over-year increase. PRESSURE CHOLLIMA conducted the largest single financial theft ever reported: $1.46 billion through trojanized software distributed via supply chain compromise. FAMOUS CHOLLIMA doubled its operations using AI-generated identities. STARDUST CHOLLIMA tripled its tempo. The primary delivery channels: WhatsApp and LinkedIn, where EDR has no signal. "Financial services organizations face threats from every direction, and AI is making each of them harder to stop," Adam Meyers, senior vice president, counter adversary operations at CrowdStrike, said in the report. "Adversaries are using AI to compress the time from initial access to impact, moving through trusted paths faster than legacy defenses can respond." His 2026 Global Threat Report found 82% of detections in 2025 were malware-free. The average eCrime breakout time fell to 29 minutes, with the fastest observed at 27 seconds. Riemer told VentureBeat the same dynamic applies to developer toolchains. "Bad guys are pivoting to what's the next weakest link. Let me get somebody's house key, and I can make it through the back door." Stolen developer identities are the house key. The Verizon 2026 DBIR found that 45% of employees are regular AI users, up from 15% last year, with 67% accessing AI through non-corporate accounts. Third-party involvement in breaches jumped to 48%. No single surface in this grid qualifies as a zero day. Chained together, they function like one. "I can take a whole bunch of little things and chain them together and get the same level of access," Riemer told VentureBeat. "That's what AI does very, very well." Seven surfaces. One group confirmed across at least three of them, with open-sourced tooling enabling copycats across the rest. Kayne McGladrey, IEEE Senior Member, told VentureBeat that organizations are "defaulting to cloning human user profiles for agents, and permission sprawl starts on day one." The compliance frameworks enterprises rely on were written for humans. Agent identities do not appear in any control catalog McGladrey has encountered.