GitHub, the Microsoft-owned developer platform, has confirmed a security breach resulting in the theft of data from approximately 3,800 of its internal code repositories. [1]
The company disclosed the incident through a series of posts on X, stating that it "detected and contained a compromise of an employee device involving a poisoned VS Code extension." Visual Studio Code is a highly popular programming editor, making its marketplace an increasingly attractive target for cybercriminals looking to launch supply chain attacks. [1, 2]
GitHub emphasized that its ongoing investigation has found "no evidence of impact to customer information stored outside of GitHub's internal repositories." To mitigate further risks, the platform immediately isolated the affected endpoint and removed the malicious third-party extension. While GitHub declined to officially name the compromised plugin, cybersecurity monitors reported that the cybercrime group TeamPCP has claimed responsibility for the breach. The hackers are currently attempting to sell the exfiltrated repository data on a prominent underground cybercrime forum. [1, 2, 3]
This incident follows a pattern of high-profile supply chain attacks executed by TeamPCP. The group previously claimed a major data breach at the European Commission, where they exfiltrated over 90 gigabytes of cloud storage data after compromising the downstream users of Trivy, a vulnerability scanning tool. [1, 2]
The developer ecosystem has faced an escalating wave of similar threats recently. OpenAI was recently impacted by a separate supply chain compromise involving TanStack, a web development platform, where malicious updates were pushed to harvest user tokens and passwords. Security experts note that targeting developer workstations and open-source plugins allows threat actors to compromise thousands of interconnected targets simultaneously, maximizing the impact of a single breach. [1, 2]
