Skip to content

GitHub Confirms Security Breach of 3,800 Repositories Through Malicious VSCode Extension

In a nutshell: GitHub confirmed a security breach of approximately 3,800 internal repositories through a malicious VSCode extension. The hacker group TeamPCP is demanding $50,000 for the stolen data. This is not the first case of trojanized VSCode extensions.

GitHub has confirmed a security breach in which approximately 3,800 internal repositories were compromised following the installation of a malicious Visual Studio Code extension by an employee. The company has since removed the malware from the marketplace and secured the affected device.

GitHub detected the attack on Tuesday on an employee device that had installed a manipulated VSCode extension. The company acted quickly: the malicious extension was removed, access to the device was isolated, and incident response procedures were initiated.

The investigation suggests that attackers accessed only GitHub-internal repositories. The claimed approximately 3,800 compromised repositories align with GitHub’s investigations to date. There are no indications that customer data outside of these repositories was affected.

The hacker group TeamPCP claimed on Tuesday access to approximately 4,000 private code repositories and demanded at least $50,000 for the stolen data. TeamPCP has previously been linked to extensive supply chain attacks on developer platforms, including GitHub, PyPI, and Docker.

VS Code extensions are plugins that can be installed from the official marketplace. This is not the first time that malicious extensions have appeared in the marketplace. In the past, several trojanized extensions with millions of installations have been discovered that stole developer credentials or distributed cryptominers.

Share on: