GitHub confirmed over the weekend that an employee device was compromised after installing a trojanized Visual Studio Code extension from the official marketplace. The breach resulted in the exfiltration of roughly 3,800 internal GitHub repositories. The company detected the intrusion, removed the malicious extension from the marketplace, isolated the affected endpoint, and initiated incident response procedures, though the data had already been stolen.

The cybercrime group TeamPCP claimed responsibility for the attack on the Breached cybercrime forum, stating they accessed GitHub source code and approximately 4,000 private repositories. The group is demanding a minimum payment of $50,000 from a single buyer, with the standard threat to release the data publicly if no purchase is made. TeamPCP has a history of supply chain attacks, including previous campaigns targeting PyPI packages, NPM repositories, and the recent Mini Shai-Hulud operation that compromised two OpenAI employees.

The attack vector exploited the VS Code extension marketplace, which has a documented history of malicious extensions bypassing security checks. Once installed, the poisoned extension provided the attackers with sufficient access to compromise the employee's device and reach internal GitHub systems. The company's investigation indicates the breach was limited to internal repositories, with no current evidence suggesting customer data stored elsewhere has been affected.

The incident highlights the persistent vulnerability of developer toolchains to supply chain attacks. Despite GitHub being one of the most security-focused technology companies, a single employee installing what appeared to be a legitimate extension was enough to trigger a significant breach. The attack demonstrates how threat actors are systematically targeting the tools developers trust, knowing that compromising these platforms can create cascading effects across the software ecosystem.

GitHub has stated its investigation is ongoing. Organizations using GitHub should review their security practices around third-party extensions and developer tools. Security teams should implement additional controls for vetting browser extensions and IDE plugins, particularly those with broad system access. Developers should exercise heightened caution when installing extensions, even from official marketplaces, and organizations should consider implementing allow listing policies for approved development tools.

Source: https://securityaffairs.com/192440/cyber-crime/a-malicious-vs-code-extension-just-breached-github-s-internal-repositories.html