← Back to SecLog

GitHub confirms breach of roughly 3,800 internal repositories via malicious VS Code extension

Updated: 2026.05.21 20D ago 7 sources
Supply Chain Breaches & Data Leaks Threat Actors & APTs
GitHub confirmed that an employee device was compromised after installing a trojanized VS Code extension, leading to exfiltration of roughly 3,800 internal repositories. The company says it removed the malicious extension from the VS Code Marketplace, isolated the endpoint, and found no evidence that customer data stored outside the affected repos was impacted. TeamPCP claimed responsibility and advertised the stolen code for sale.
Why it matters: This is a significant source-code breach at a core software development platform, with potential downstream supply-chain and trust implications. GitHub users and defenders should watch for follow-on disclosures about exposed secrets, internal tooling, or abuse tied to the stolen repositories.

Sources

GitHub links repo breach to TanStack npm supply-chain attack
Sergiu Gatlan 2026.05.21 98% relevant
This directly updates the same GitHub breach, adding that the malicious extension was Nx Console 18.95.0 and that GitHub links the compromise path to last week’s TanStack npm supply-chain attack; it also adds details on secret rotation and TeamPCP’s claims.
GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension
info@thehackernews.com (The Hacker News) 2026.05.21 98% relevant
The article appears to describe the same underlying GitHub intrusion and adds the specific lure/extension name, identifying the malicious VS Code extension as Nx Console.
GitHub Breached — Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos
info@thehackernews.com (The Hacker News) 2026.05.20 99% relevant
The article appears to cover the same GitHub breach event: an employee device compromise tied to a trojanized VS Code extension that led to exfiltration of about 3,800 internal repositories.
GitHub says internal repos exfiltrated after poisoned VS Code extension attack
2026.05.20 98% relevant
This article covers the same underlying GitHub breach event, reiterating that a poisoned VS Code extension led to exfiltration of about 3,800 internal repositories and adding GitHub's public statements about ongoing log analysis, secret rotation validation, and no current indication of customer data exposure.
GitHub Confirms Hack Impacting 3,800 Internal Repositories
Ionut Arghire 2026.05.20 99% relevant
This article is the same underlying event: GitHub confirms that a poisoned VS Code extension on an employee device led to exfiltration affecting about 3,800 internal repositories, adding details on TeamPCP's claim, attempted sale of stolen data, and GitHub's secret-rotation response.
GitHub confirms breach of 3,800 repos via malicious VSCode extension
Sergiu Gatlan 2026.05.20 100% relevant
This article establishes GitHub's confirmation of the repo breach, the initial scope of ~3,800 internal repositories, and the reported intrusion vector of a malicious VS Code extension.
GitHub investigates internal repositories breach claimed by TeamPCP
Sergiu Gatlan 2026.05.20 94% relevant
This article is the initial report on the same GitHub internal-repository breach later confirmed by GitHub; its update notes the confirmation and adds TeamPCP's public sale claims and early GitHub statements that customer data outside internal repositories was not yet known to be affected.
← Back to all stories