GitHub Confirms Internal Repository Data Theft

GitHub confirmed that hackers broke into its systems and stole data from around 3,800 internal code repositories.

The Microsoft-owned developer platform said it found and contained a compromise involving an employee device. The incident involved a poisoned VS Code extension, referring to a plugin for Visual Studio Code, the widely used code editor developers rely on for programming.

GitHub said it has no evidence that customer information stored outside its internal repositories was affected. The company also noted that its investigation is still ongoing.

Poisoned VS Code Extension Linked to GitHub Breach

Employee Device Compromise

The breach centered on a compromised employee device. GitHub said the compromise involved a poisoned VS Code extension, though the company did not identify the specific extension.

That detail matters because coding extensions sit close to the everyday work of developers. They’re installed inside development environments, used while writing and reviewing code, and often trusted as part of normal workflows.

GitHub Has Not Named the Compromised Extension

GitHub did not disclose which VS Code extension was involved in the attack. The company also did not immediately respond to questions about the incident, including whether it had received any communication from the hackers, such as a ransom demand.

For now, the confirmed details are limited: GitHub detected the compromise, contained it, and said data was stolen from roughly 3,800 internal repositories.

Customer Information Outside Internal Repositories Not Currently Impacted

GitHub said it has no evidence of impact to customer information stored outside of GitHub’s internal repositories.

That does not mean the investigation is finished. GitHub stated that the inquiry remains ongoing, leaving open the possibility that more information could emerge as the company continues reviewing the incident.

The key distinction is where the known stolen data came from: internal GitHub repositories, not customer information stored elsewhere.

Hackers Increasingly Target Developer Tools and Open-Source Projects

Hackers are increasingly going after popular open-source projects and coding extensions. The goal is simple and dangerous: compromise the computers developers use, and potentially reach the projects they work on.

This kind of attack can scale quickly. When hackers target popular projects, a single compromise can give them access to large numbers of computers at once. That amplifies the damage and turns trusted development tools into a distribution path for malware or stolen data.

Coding extensions are especially attractive because developers often install them as part of their daily workflow. When one of those tools is poisoned, the attack can blend into normal programming activity.

TeamPCP Claimed Credit for the GitHub Breach

Reports Say TeamPCP Is Selling the Data

Reports from The Record and Bleeping Computer say a hacking group called TeamPCP claimed credit for the GitHub breach.

The group is reportedly selling the stolen data on a cybercrime forum. GitHub has not publicly said whether it has received direct communication from the hackers or any demand connected to the stolen repository data.

TeamPCP Previously Claimed a European Commission Breach

TeamPCP previously claimed credit for a data breach at the European Commission. That breach resulted in the theft of more than 90 gigabytes of data from cloud storage belonging to the EU’s executive arm.

In that earlier case, the hackers stole the European Commission’s cloud key during a prior breach at Trivy, a vulnerability scanning tool. They did this by pushing info-stealing malware to Trivy’s downstream users.

Similar Developer-Supply-Chain Attacks Have Targeted Other Platforms

OpenAI was also targeted recently in a similar but separate attack.

In that incident, hackers broke into Tanstack, a platform used by web developers. The attackers pushed updates containing malware, which allowed them to steal passwords and tokens from users.

The GitHub incident follows the same broader pattern: attackers are focusing on developer ecosystems, code tools, plugins, and platforms that sit inside trusted technical workflows.

Why Developer Tool Compromises Can Spread So Quickly

Developer tool attacks can have an outsized impact because they aim at trusted software used by many people at once.

A compromised coding extension or open-source project can create a path into developer machines. From there, attackers may reach code, credentials, tokens, or other sensitive material connected to the developer’s environment.

That is what makes these incidents different from isolated device compromises. When attackers target a tool that many developers use, the attack can expand beyond one person, one machine, or one project.

Key Facts About the GitHub Internal Repository Breach

  • GitHub confirmed hackers stole data from around 3,800 internal repositories.
  • The company said the breach involved a compromised employee device.
  • GitHub linked the compromise to a poisoned VS Code extension.
  • GitHub did not name the compromised extension.
  • GitHub said it has no evidence customer information outside internal repositories was affected.
  • The investigation remains ongoing.
  • TeamPCP reportedly claimed credit for the breach.
  • The stolen data is reportedly being sold on a cybercrime forum.
  • Similar attacks have targeted developer tools, open-source projects, and web development platforms.