GitHub Internal Repos Breached via Malicious VS Code Extension

A GitHub employee installed a malicious VS Code extension, resulting in a breach of approximately 3,800 internal repositories. Threat group TeamPCP claimed responsibility for the supply-chain attack against one of the world's most critical developer infrastructure providers.

GitHub Internal Repos Breached via Malicious VS Code Extension

A GitHub employee installed a malicious VS Code extension, leading to the compromise of approximately 3,800 internal GitHub repositories. Threat group TeamPCP claimed responsibility. The incident represents a supply-chain attack against one of the world's most critical developer infrastructure providers, executed through the developer's own daily tooling ecosystem rather than external perimeter intrusion. Full scope of data exposed has not been disclosed.

Why It Matters

The attack vector — a developer extension installed by a trusted employee — is a direct warning for every engineering team relying on VS Code and its extension marketplace. Insider-adjacent supply-chain attacks via trusted toolchains are among the hardest to detect and can yield broad repository access. Teams should audit installed extensions and apply least-privilege controls to development environments.