GitHub Hacked – Internal Source Code Repositories Compromised via Employee Device

GitHub has confirmed unauthorized access to its internal repositories after detecting a compromised employee device infected through a malicious Visual Studio Code extension, the company disclosed in a series of official statements on May 20, 2026.

The Microsoft-owned code hosting platform said it identified and contained the breach after a poisoned VS Code extension was used to compromise an employee’s endpoint.

1/ We are sharing additional details regarding our investigation into unauthorized access to GitHub's internal repositories.

Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version,… — GitHub (@github) May 20, 2026

GitHub immediately removed the malicious extension version, isolated the affected device, and activated its incident response procedures.

GitHub’s investigation indicates the attacker successfully exfiltrated data from GitHub-internal repositories only, with no confirmed impact on public or customer-hosted repositories at this stage.

The company stated that a threat actor’s claims of accessing approximately 3,800 repositories are “directionally consistent” with their findings so far.

2/ Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only. The attacker’s current claims of ~3,800 repositories are directionally consistent with our investigation so far. — GitHub (@github) May 20, 2026

A notorious threat actor operating under the alias TeamPCP has claimed responsibility for the breach, alleging the exfiltration of proprietary organization data and source code.

The group is reportedly offering the stolen dataset for sale on underground cybercrime forums, demanding offers exceeding $50,000. Their own claims cite roughly 4,000 private repositories tied directly to GitHub’s main platform.

GitHub moved quickly to reduce further exposure following initial detection. Key containment actions included:

Rotating critical secrets and credentials overnight, prioritizing highest-impact credentials first

Isolating the compromised employee endpoint

Removing the malicious VS Code extension version from circulation

Initiating continuous log analysis to detect any follow-on attacker activity

The use of a malicious VS Code extension as an initial access vector highlights a growing threat in developer-targeted supply chain attacks.

Threat actors increasingly target developer tooling, IDE extensions, CI/CD plugins, and package managers to gain footholds inside high-value technology organizations.

A trusted extension turning malicious can bypass traditional security controls and exfiltrate sensitive credentials or tokens silently in the background.

GitHub confirmed it continues to analyze logs, validate secret rotation completeness, and monitor for secondary activity.

4/ We continue to analyze logs, validate secret rotation, and monitor for any follow-on activity. We will take additional action as the investigation warrants. — GitHub (@github) May 20, 2026

The company stated it will take additional remediation actions as warranted by the investigation and has committed to publishing a fuller incident report once the review is complete.

GitHub has not confirmed any customer data exposure at this time.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.