Synopsis
GitHub has confirmed a cyberattack after a threat actor claimed to have stolen and listed company data for sale. The breach involved unauthorised access to internal repositories via a "poisoned" VS Code extension, with the attacker's claims of accessing nearly 3,800 repositories aligning with GitHub's investigation.Listen to this article in summarized format
In a series of posts, GitHub said it had “detected and contained a compromise of an employee device involving a poisoned VS Code extension,” on Tuesday.
GitHub said the malicious extension was removed, the affected endpoint isolated, and incident response measures launched immediately after the breach was discovered.
The proprietary developer platform said its current assessment is that the activity involved exfiltration of internal repositories. GitHub further stated that the attacker’s claims of accessing nearly 3,800 repositories are directionally consistent with its investigation so far.
The incident surfaced publicly after a threat actor identified as TeamPCP allegedly listed GitHub source code and internal organisations for sale on a cybercrime forum, according to a Times of India report. The same threat group has also reportedly been linked to recent attacks involving malicious Python packages.
GitHub said it continues to investigate the breach and monitor its infrastructure for additional suspicious activity.
“We continue to analyse logs, validate secret rotation, and monitor for any follow-on activity. We will take additional action as the investigation warrants,” the company posted on X.
