GitHub has confirmed that attackers gained unauthorized access to its systems and exfiltrated roughly 3,800 internal repositories. The company says it removed a malicious code extension tied to the incident.
The extent of the data theft
The breach, which GitHub disclosed in a recent security update, involved the theft of internal repositories — not customer-facing code or personal user data, according to the company. The number, 3,800, represents a significant chunk of GitHub's own proprietary software and development work. Investigators are still working to determine exactly what was taken and whether the attackers have used any of the stolen code.
The malicious extension
GitHub identified a malicious code extension as the entry point or a key component of the attack. The company removed the extension after discovering its link to the breach. It hasn't said how the extension got onto its systems or how long it had been active. Security experts outside the company have pointed to the growing threat of supply-chain attacks, where bad actors plant harmful code in trusted tools.
GitHub’s response
GitHub has locked down the affected accounts and is notifying any users whose data might have been compromised. The company says it's reviewing its internal security measures to prevent similar incidents. No word yet on whether law enforcement has been brought in, but the scale of the theft suggests a coordinated effort by a sophisticated group.
The breach raises questions about how well even the most security-conscious companies can protect internal codebases. GitHub itself builds tools used by millions of developers to manage code. If its own defenses can be breached, the incident serves as a stark reminder that no organization is immune.
GitHub hasn't said when it expects to complete its investigation. The company is urging developers to check for any suspicious activity linked to their accounts and to report anything unusual. For now, the focus is on containing the damage and understanding exactly what the attackers walked away with.
