(Image: Sundry Photography/Shutterstock.com). GitHub has confirmed an attack via an extension for Visual Studio Code. The stolen data is apparently being offered for sale in a cybercrime forum. Attackers apparently had access to internal repositories of GitHub. The operator of the version control platform initially confirmed to the platform Bleeping Computer and later on X that the company is investigating unauthorized access to repositories. According to the post on X, only internal repositories are affected. There is no indication that customer information has been leaked. Should that be the case, GitHub has announced that it will inform those affected directly through the usual channels. Malicious code in a Visual Studio Code extension. The entry point apparently was malicious code in a Visual Studio Code extension on an employee’s device. According to its own statement [1], GitHub has isolated the endpoint and immediately initiated incident response measures. Time and again, infected extensions are found on the official marketplaces of Microsoft and Eclipse. A prominent example was GlassWorm in October 2025 [3]. In spring 2026, there were numerous extensions with malicious code [4], which the authors presumably published as test balloons for a ransomware attack. TeamPCP claims responsibility for the attack. TeamPCP claimed responsibility for the attack in a cybercrime forum. The group is said to be responsible for numerous recent incidents, including infected npm packages from SAP [5] and an attack on the open-source security scanner Trivy [6]. Additionally, TeamPCP recently published the source code for the npm worm Shai-Hulud [7]. TeamPCP auctions off the data stolen from GitHub for at least $50,000. (Image: Bleeping Computer [8]). The attacker group speaks of approximately 4,000 repositories, which roughly matches the number of 3,800 repositories reported in a subsequent X post by GitHub [9]. TeamPCP auctions the data through the cybercrime forum and implicitly extorts GitHub. In the text, however, the group explicitly emphasizes that it does not want ransom and does not want to extort GitHub, but rather wants to sell the stolen data to the highest bidder. However, it will not accept bids below $50,000. If a buyer is found, the group assures that all data will be deleted. If no buyer is found, they would just publish the data for free. That sounds a bit like extortion after all. (rme [10]). URL of this article:. https://www.heise.de/-11300422. Links in this article:. https://x.com/github/status/2056949168208552080. https://www.heise-devsec.de/?wt_mc=intern.academy.dpunkt.konf_dpunkt_vo_devsec.empfehlung-ho.link.link&LPID=33786. https://www.heise.de/news/Gefaehrlicher-und-unsichtbarer-Wurm-in-Visual-Studio-Code-Extensions-gefunden-10789320.html. https://www.heise.de/news/Ransomware-Testballon-im-offiziellen-Marktplatz-von-Visual-Studio-Code-entdeckt-10323764.html. https://www.heise.de/news/Boesartige-npm-Pakete-SAP-Software-kompromittiert-11280683.html. https://www.heise.de/news/Supply-Chain-Attacke-auf-LiteLLM-Betroffene-sollen-Credentials-sofort-aendern-11223618.html. https://www.heise.de/news/npm-Wurm-Shai-Hulud-Angriff-der-Klone-11299094.html. https://www.bleepingcomputer.com/news/security/github-confirms-breach-of-3-800-repos-via-malicious-vscode-extension/. https://x.com/github/status/2056949169701720157. mailto:rme@ix.de. Copyright © 2026 Heise Medien
heise security News