275/69 Thursday, May 21, 2026
GitHub has confirmed a cybersecurity incident involving unauthorized access to the company’s internal repositories after an employee installed a malicious extension on Visual Studio Code (VS Code). According to the company, the attacker was able to access and exfiltrate data from approximately 3,800 internal repositories. GitHub stated that the malicious extension has since been removed from the VS Code Marketplace, the affected device was isolated from the network, and incident response procedures were immediately initiated after the intrusion was discovered.
The hacker group TeamPCP claimed responsibility for the attack through the cybercrime forum Breached, alleging that it gained access to nearly 4,000 private GitHub repositories and internal source code. The group reportedly offered the stolen data for sale starting at USD 50,000. TeamPCP has previously been linked to several supply chain attacks targeting developer platforms such as GitHub, PyPI, npm, and Docker, as well as the “Mini Shai-Hulud” campaign that reportedly affected employees at OpenAI.
The incident highlights the growing risks associated with VS Code extensions, which are plugins installed through the VS Code Marketplace to enhance developer functionality. Over recent years, multiple malicious extensions have been discovered stealing developer credentials, passwords, and sensitive information. Previous cases have included extensions with more than 9 million installs being removed due to security concerns, as well as fake extensions distributing cryptocurrency mining malware and exfiltrating data to overseas servers. Organizations are therefore advised to strengthen extension vetting processes before installation, restrict access permissions within development environments, and closely monitor developer devices for suspicious behavior in order to reduce the risk of increasingly sophisticated supply chain attacks.