Compromised VS Code extension leads to exposure of ~3,800 GitHub repos

Du'aine Davis

Observed in the wild

• On 20 May, GitHub confirmed that approximately 3,800 internal repositories were accessed following the compromise of an employee device. The breach was detected and contained shortly after discovery. GitHub stated the impact was limited to internal repositories, with no evidence of broader customer data exposure outside those repos.
• The intrusion stemmed from a trojanised Visual Studio Code extension installed by a GitHub employee, enabling unauthorised access and data exfiltration. While attribution is unconfirmed, the TeamPCP group claimed responsibility and has prior links to supply chain attacks targeting developer ecosystems such as GitHub, npm, and PyPI. The technique aligns with ongoing abuse of malicious extensions to harvest credentials and code.
• Organisations are advised restrict and monitor IDE extension installation, favouring approved allow-lists and auditing developer endpoints. Use Microsoft Defender for Endpoint to detect anomalous process behaviour and credential access. Monitor for unusual repository access patterns and outbound traffic to untrusted domains. Enforce least privilege on developer systems and integrate Defender signals with SIEM for rapid detection and containment of extension-based compromise behaviours.

GitHub confirms breach of 3,800 repos via malicious VSCode extension