GitHub confirmed this week that a threat actor known as TeamPCP stole roughly 3,800 internal repositories after an employee unknowingly installed a compromised Visual Studio Code extension. The breach, which targeted the company's private source code, highlights the growing risk of supply-chain attacks on developer tools.
How the attack unfolded
The incident began when a GitHub employee downloaded a malicious coding tool disguised as a legitimate VS Code extension. Once installed, the extension gave TeamPCP access to the employee's development environment, allowing the group to pull private repositories. GitHub hasn't named the employee or the specific extension, but investigators confirmed the extension was the entry point.
Company security teams detected unusual activity inside the internal code base and moved quickly to contain the breach. GitHub says it has since revoked access tokens, rotated credentials, and locked down affected systems. The stolen repositories did not include customer data, according to the company.
Who is TeamPCP
TeamPCP is the same threat actor behind several high-profile breaches of tech firms in recent months. The group focuses on infiltrating developer networks through compromised tools and open-source dependencies. In this case, they targeted GitHub — the world's largest host of source code — using its own ecosystem against it.
GitHub's security team declined to share technical details of the extension's code, citing an ongoing investigation. But the company advised developers to verify the authenticity of any third-party VS Code extensions before installing them, especially those that request broad permissions.
What was taken — and what wasn't
The 3,800 repositories represent a fraction of GitHub's total internal code base. The stolen material includes proprietary source code, internal documentation, and configuration files. GitHub says no customer repositories, personal data, or financial information were accessed. Still, the loss of internal source code could give competitors or malicious actors insight into GitHub's product road map and security posture.
GitHub is a subsidiary of Microsoft and runs on its own platform. The company has not disclosed whether the breach affected its production infrastructure or introduced backdoors into any of its public products.
What happens next
GitHub is working with law enforcement and has notified affected employees. The company says it will release a security advisory with additional details once the investigation concludes. Developers using VS Code — a hugely popular Microsoft editor — are left wondering whether similar extensions could be hiding in plain sight. GitHub hasn't yet said whether it will audit its own employees' tool installations more aggressively as a result.
