Microsoft-owned code-hosting platform GitHub on Wednesday morning confirmed that roughly 3,800 inner repositories had been impacted in a provide chain assault.
On Tuesday, the notorious hacking group TeamPCP, identified for a collection of latest provide chain assaults focusing on the open supply software program neighborhood, claimed the hack of 4,000 GitHub inner repositories.
Boasting in regards to the incident on an underground hacking discussion board, the risk actor claimed the theft of supply code and inner orgs, providing the allegedly stolen info to any purchaser prepared to pay at the least $50,000 for it.
GitHub launched an investigation into the matter shortly after and roughly 5 hours later confirmed the attackers’ claims.
“Our present evaluation is that the exercise concerned exfiltration of GitHub-internal repositories solely. The attacker’s present claims of ~3,800 repositories are directionally in step with our investigation thus far,” GitHub mentioned.
The code-sharing platform instantly rotated important secrets and techniques, prioritizing highest-impact credentials first.
“We proceed to investigate logs, validate secret rotation, and monitor for any follow-on exercise. We’ll take further motion because the investigation warrants,” GitHub mentioned, promising a full incident report at a later date.
The intrusion, the platform mentioned, was the results of an worker putting in a poisoned VS Code extension.
GitHub didn’t title the extension and didn’t share particulars on the kind of knowledge the compromised worker system contained.
In accordance with Aikido Safety researcher Charlie Eriksen, VS Code extensions have full entry to all knowledge on a developer’s machine, together with credentials, SSH keys, cloud keys, and all different secrets and techniques.
“Developer workstations are the primary goal in provide chain assaults proper now, and that is precisely why. TeamPCP has compromised Trivy, Checkmarx, Bitwarden CLI, TanStack, and now GitHub, all in 2026, all via developer tooling,” Aikido Safety’s Mackenzie Jackson mentioned.
“A single VS Code extension on one worker’s machine was sufficient to get entry to three,800 inner GitHub repositories. Most security groups nonetheless have zero visibility into what extensions or packages are on their builders’ machines, or how lately they had been printed. That’s the blind spot these assaults maintain strolling via,” Jackson added.
