GitHub confirms breach of 3,800 repos via malicious VSCode extension
Scored daily by a customisable AI persona to surface the most relevant engineering leadership news.
GitHub breach via VSCode extension is a critical supply chain security incident for all developers.
GitHub confirmed that roughly 3,800 internal repositories were breached after an employee installed a malicious VS Code extension, which was subsequently removed from the marketplace. The TeamPCP hacker group—previously linked to supply chain attacks on PyPI, NPM, and Docker—claimed responsibility and is demanding $50,000 for the stolen code. GitHub reports no customer data was affected, but this incident underscores the risk of supply chain attacks via developer tooling.
Enforce strict vetting of all VS Code extensions and implement endpoint detection controls on developer workstations.
For engineers building on cloud platforms, this incident highlights how vulnerable developer endpoints and IDE extensions can serve as an entry point into internal source code, threatening intellectual property and CI/CD pipelines.
GitHub confirms breach of 3,800 repos via malicious VSCode extension By Sergiu Gatlan May 20, 2026 04:14 AM 1 GitHub has confirmed that roughly 3,800 internal repositories were breached after one of its employees installed a malicious VS Code extension. The company has since removed the unnamed trojanized extension from the VS Code marketplace and has secured the compromised device. "Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response…