GitHub has confirmed that attackers gained unauthorized access to portions of its internal repositories following the compromise of an employee device through a malicious Visual Studio Code extension. According to the company, the incident was contained after the poisoned extension was identified, the affected device was isolated, and internal incident response procedures were activated.
Reports published by The Hacker News stated that the attackers claimed to have exfiltrated data from nearly 3,800 internal repositories. GitHub said the attackers’ estimates were “directionally consistent” with its ongoing investigation. Current assessments indicate the activity was limited to GitHub’s internal repositories, with no confirmed evidence that customer repositories, enterprise environments, or external user data were compromised.
Security researchers linked the incident to a broader software supply chain threat involving poisoned VS Code extensions that can harvest developer credentials, cloud tokens, SSH keys, and repository access permissions. Researchers also warned that modern development environments and extension ecosystems are becoming increasingly attractive attack surfaces because extensions often operate with extensive local system privileges.
The incident has triggered wider discussions across the cybersecurity industry about software supply chain security, developer environment hardening, credential protection, and the growing risks associated with trusted extensions and third-party development tooling. The breach also renewed concerns about how centralized developer platforms could become high-value targets for attackers seeking large-scale access to source code and internal infrastructure.
As of now, GitHub stated that the investigation remains ongoing and that there is no evidence of continued unauthorized access following containment measures. The company also noted that affected credentials were rotated and additional security actions were implemented as part of the response process.
To delve deeper into this topic, visit The Hacker News
