3,800 Internal GitHub Repos Stolen Via Poisoned VS Code Extension

The breach came from a single GitHub employee installing a malicious VS Code extension, with TeamPCP claiming responsibility and offering the stolen source code for $50,000.

Published on May 20, 2026

Written by Alessandro Mascellino

Share

GitHub Confirms 3,800 Internal Repos Stolen via Poisoned VS Code Extension

GitHub has confirmed that roughly 3,800 of its internal repositories were exfiltrated this week. The entry point was a single employee’s machine, compromised after they installed a poisoned VS Code extension from the official marketplace.

The Microsoft-owned code-hosting platform disclosed the incident in a thread on X Wednesday 20^th May, hours after acknowledging it was investigating unauthorized access.

2/ Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only. The attacker’s current claims of ~3,800 repositories are directionally consistent with our investigation so far.
— GitHub (@github) May 20, 2026

GitHub said it detected and contained the compromise on 19 May, isolated the endpoint, removed the malicious extension version from the marketplace, and began rotating high-impact credentials.

“Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only,” the company said. Customer data stored outside the affected repositories appears to be unaffected.

GitHub has not named the extension or the employee involved.

A TeamPCP Supply Chain Run That Keeps Going

The threat actor TeamPCP, which has previously hit the GitHub repositories behind Trivy, Checkmarx, LiteLLM, and BerriAI, claimed responsibility on a cybercrime forum.

The group initially claimed 4,000 repos and listed the data for sale at a $50,000 floor, which GitHub said was “directionally consistent” with its investigation so far.

This is the same crew that Google Threat Intelligence Group flagged last week for monetizing supply chain access through ransomware and data extortion partnerships. The GitHub breach extends that pattern in a new direction. Instead of poisoning a build environment to harvest cloud secrets, TeamPCP went after the developer endpoint directly.

The mechanism is what makes this incident notable. VS Code extensions ran with full user privileges on the developer’s workstation, with access to everything sitting in that environment: credentials, SSH keys, cloud keys, and any secrets in reach. Once installed, a malicious extension does not need to escalate. The installation itself is the privilege escalation.

The GitHub compromise lands in a busy week for VS Code marketplace abuse. The day before GitHub’s disclosure, the Nx Console extension (2.2 million installs, verified publisher status) was briefly backdoored, with the malicious version pulled within 11 minutes. A Microsoft-adjacent Python package, durabletask, was compromised days earlier.

GitHub said it would publish a full incident report once the investigation concludes.

Explore More

New macOS Stealer Impersonates Apple, Google & Microsoft In Single Attack Chain

The new SHub Stealer variant disguises its delivery as an Apple security update, hosts payloads on a typo-squatted Microsoft domain, and persists from a fake Google Software Update directory.

Alessandro Mascellino Last updated on May 20, 2026

Read Now

Written By

Alessandro Mascellino Cybersecurity Reporter

Alessandro Mascellino is a British-Italian freelance journalist specializing in technology and gaming. He has contributed to several publications, including Wired, The Independent, and Android Police. By day, he works as a journalist. By night, he co-manages a game studio that creates narrative games.