GitHub has confirmed a cyberattack involving unauthorized access to some of its internal repositories after a threat actor claimed it had stolen and was attempting to sell company data online. In a series of posts shared on X (formerly Twitter), the Microsoft-owned subsidiary said it has “detected and contained a compromise of an employee device involving a poisoned VS Code extension.”
Details of the Breach
GitHub further stated that the malicious extension was removed, the affected endpoint was isolated, and incident response measures were launched immediately. The platform also noted that its “current assessment is that the activity involved exfiltration of GitHub-internal repositories only,” while adding that the attacker’s claims of accessing around 3,800 repositories are “directionally consistent” with the company’s investigation so far.
Immediate Actions Taken
The company has already rotated critical secrets and prioritized “highest-impact credentials” to reduce risk. GitHub also said it continues to analyze logs and monitor systems for additional suspicious activity.
Threat Actor Claims GitHub Source Code Being Sold
The incident became public after a threat actor known as TeamPCP allegedly listed GitHub source code and internal organizations for sale on a cybercrime forum. According to a report by The Hacker News, the group claimed to possess data from nearly 4,000 repositories and said the asking price was at least $50,000. Screenshots shared online reportedly showed the attackers saying: “We do not care about extorting GitHub.”
“As always, this is not a ransom,” the group said in a post, according to screenshots shared by Dark Web Informer. “We do not care about extorting GitHub, 1 buyer and we shred the data on our end, it looks like our retirement is soon so if no buyer is found, we leak it for free.”
The same threat group has also reportedly been linked to recent attacks involving malicious Python packages.
Attack Linked to Poisoned VS Code Extension
GitHub has revealed that the breach was connected to a poisoned Microsoft Visual Studio Code extension installed on an employee device. “We removed the malicious extension version, isolated the endpoint, and began incident response immediately,” the company said.
“We continue to analyze logs, validate secret rotation, and monitor for any follow-on activity. We will take additional action as the investigation warrants. We will publish a fuller report once the investigation is complete,” GitHub stated in the post.
