GitHub Confirms Breach of ~3,800 Internal Repos via Malicious VS Code Extension
GitHub confirmed that an employee device was compromised via a poisoned Visual Studio Code extension, leading to the exfiltration of approximately 3,800 internal repositories. The threat actor TeamPCP claimed the data on a forum and listed it for sale. No customer data outside the internal repos was affected.
- source-code
- internal-repositories
GitHub has confirmed that approximately 3,800 of its internal repositories were exfiltrated after an employee device was compromised through a malicious Visual Studio Code extension.
The incident, which came to light in May 2026, involved a threat actor known as TeamPCP. The group claimed responsibility on a cybercrime forum and listed the stolen material for sale. Public reporting indicates the breach originated from a poisoned VS Code extension that allowed the attacker to gain access to the employee's workstation. GitHub stated that the exposed data consisted solely of internal source code repositories and that no customer data was affected. Industry research from sources such as DoxxScan™ continuous monitoring indicates that supply-chain attacks targeting developer tools have risen sharply in recent years, making incidents like this part of a broader pattern.
Want the rest of this breakdown?
Sign up free to keep reading. Members get extended access, the weekly breach digest, and a complimentary Warden™ to see if their identity is exposed in the breaches we cover.
A breach leaks your credentials. Then hackers chain those credentials to your address, family, phone, and employer using public broker sites. We’re the only tool built around that chain.
⚠ Were you in this breach?
Free email scanner. We check your address against 15.4B+ leaked records in 15 seconds — then show you the $19 cleanup that removes you from the broker sites aggregating leaked data.
Check my email — free →