GitHub Breach: 3,800 Internal Repositories Compromised via Malicious VS Code Extension

GitHub Breach: 3,800 Internal Repositories Compromised via Malicious VS Code Extension

First seen 20 May 2026, 05:52 UTC WizCybersecuritynewsPanewslabKucoinWeex+93 87% similarity 68.2

Article Content

Browse articles
ThreatCluster

On May 20, 2026, GitHub confirmed a significant security breach involving a poisoned Visual Studio Code (VS Code) extension that compromised an employee's device. The attack, attributed to the TeamPCP hacking group, resulted in the exfiltration of approximately 3,800 internal repositories. GitHub's initial assessment indicated that the breach did not affect customer data stored outside its internal systems. The malicious extension was promptly removed, and GitHub initiated an incident response, including credential rotation. TeamPCP is reportedly offering the stolen data for sale on cybercrime forums, demanding at least $50,000. The breach highlights vulnerabilities in developer tools and the potential for significant impacts on software supply chains. GitHub is continuing to monitor for any follow-on activity as the investigation progresses.

Key Points: • GitHub confirmed the breach of approximately 3,800 internal repositories via a malicious VS Code extension. • The TeamPCP hacking group claimed responsibility and is attempting to sell the stolen data for over $50,000. • GitHub's response included immediate isolation of the affected device and rotation of critical credentials.

ThreatCluster AI

Timeline

2026-02-06
CVE-2026-25592 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-02-19
CVE-2026-26030 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-05-19
Unauthorized access detected
GitHub reported investigating unauthorized access to its internal repositories, leading to further scrutiny.
CSO Online
2026-05-20
Breach confirmed
GitHub confirmed that a poisoned VS Code extension compromised an employee device, leading to the exfiltration of 3,800 repositories.
VentureBeat
2026-05-20
TeamPCP claims responsibility
The hacking group TeamPCP claimed to have accessed GitHub's internal repositories and is advertising the data for sale.
Infosecurity Magazine
2026-05-20
Malicious extension removed
GitHub removed the malicious VS Code extension from its marketplace and initiated incident response protocols.
BleepingComputer
2026-05-20
Credential rotation initiated
Following the breach, GitHub prioritized rotating critical credentials to mitigate further risks.
TechCrunch

Community

Browse all →