GitHub confirmed hackers stole nearly 3,800 internal repositories after an employee installed a malicious VS Code extension.
GitHub has confirmed a major cybersecurity breach involving the theft of nearly 3,800 internal code repositories after attackers compromised an employee device using a malicious Visual Studio Code extension.
The Microsoft-owned software development platform disclosed the incident on May 20, 2026, after threat actor group “TeamPCP” claimed responsibility for the intrusion and began offering the stolen data for sale on underground cybercrime forums. The group allegedly demanded at least $50,000 for the archive and threatened to leak the data publicly if no buyer emerged.
According to GitHub, the breach originated from a compromised employee workstation infected through a poisoned VS Code extension. Investigators believe the malicious extension provided attackers with access to internal systems and repositories used by GitHub developers.
GitHub stated that its current investigation indicates only internal repositories were affected and that there is “no evidence” customer repositories, enterprise environments, or external user data were compromised. However, the company acknowledged that some internal repositories may have contained support-related customer information and operational data.
The threat actor’s claims of stealing around 4,000 repositories were described by GitHub as “directionally consistent” with its ongoing investigation. Security researchers said the compromised repositories could potentially contain infrastructure configurations, deployment scripts, internal tooling, and API schemas valuable to attackers conducting future operations.
Several reports identified the malicious extension as a compromised build of “Nx Console” version 18.95.0, which was briefly distributed through the VS Code Marketplace before being removed. GitHub responded by isolating the affected device, removing the extension, rotating sensitive credentials, and launching a broader forensic investigation.
Researchers have linked TeamPCP to multiple software supply chain attacks targeting open-source ecosystems including npm, PyPI, Docker, and GitHub repositories. The group has also been associated with “Shai-Hulud”-style malware campaigns designed to compromise developer infrastructure and steal cloud credentials.
Cybersecurity experts warned the incident highlights growing risks tied to trusted developer tools and third-party extensions, which increasingly serve as entry points for software supply chain attacks. Malicious VS Code extensions can access developer terminals, credentials, repositories, and cloud environments, making them high-value targets for threat actors.
GitHub said its investigation remains ongoing and promised to notify affected parties if evidence emerges showing customer data or external systems were impacted during the breach.
Related articles :
- Hackers Publish 680,000 Odido Records, Threaten More Leaks
- SoundCloud Data Breach Exposes 29.8M User Accounts
- Hackers Threaten to Leak Data of 8M People After Odido Breach
Reports are sourced from official documents, law-enforcement updates, and credible investigations.
Discover additional reports, market trends, crime analysis and Harm Reduction articles on DarkDotWeb to stay informed about the latest dark web operations.
