By 
The Microsoft-owned code-sharing platform GitHub announced on Wednesday that an unauthorised actor had successfully penetrated its internal systems. GitHub, which supports over 150 million registered developers globally, revealed that the compromise originated from an employee device infected by a poisoned Visual Studio Code (VS Code) extension.
A threat actor operating under the name TeamPCP claimed responsibility for the cyberattack, listing GitHub’s source code and approximately 4,000 private code repositories for sale on a popular hacker forum. The group initially set a starting price of $50,000 but later updated their forum post to state they had received an offer of $95,000.
TeamPCP clarified that they are not extorting GitHub, but are instead looking for a single buyer before shredding the data, adding, if no buyer is found we will leak it free.
In a series of posts on Twitter/X, GitHub confirmed that TeamPCP’s claims are “directionally consistent with our investigations so far,” though the platform clarified the actual number of exfiltrated internal repositories is closer to 3,800. The platform stated it currently has no evidence indicating that customer information stored outside its internal repositories such as customers’ private groups and repositories has been impacted.
The compromise targeted VS Code, a lightweight text editor created by Microsoft that allows developers to customise their programming environments with various extensions. While GitHub did not specify the exact malicious add-on utilised, the company confirmed immediate remediation steps.
“We removed the malicious extension version, isolated the endpoint, and began incident response immediately,” GitHub stated. Response teams quickly initiated credential rotations, changing passwords and prioritising the highest-impact credentials first.
The incident highlights a broader global anxiety regarding the role of artificial intelligence in escalating cyber threats. Experts note that hackers and security professionals are locked in an AI arms race.
GitHub is continuing to analyse logs and monitor for follow-on activity, promising a full report once the investigation concludes.
Comments