GitHub has confirmed that approximately 3,800 internal repositories were accessed in a security breach linked to a malicious Visual Studio Code extension installed on an employee’s device.
The Microsoft-owned development platform said it detected and contained the incident after identifying a compromised endpoint tied to a poisoned VS Code extension. GitHub removed the malicious extension from the marketplace, isolated the affected device, and launched an internal incident response investigation.
According to the company’s current assessment, the attack involved unauthorized access to GitHub’s internal repositories only. GitHub stated that there is no evidence that customer repositories, enterprise environments, or public projects were impacted by the breach.
The incident became public after threat actors claimed online that they had stolen GitHub source code and sensitive internal data. The attackers reportedly alleged they obtained access to nearly 4,000 repositories and attempted to sell the stolen information on underground forums. GitHub said the attackers’ claims regarding repository volume were “directionally consistent” with the company’s investigation so far.
The breach has raised renewed concerns about software supply chain attacks targeting developer tools and extensions. Visual Studio Code extensions have increasingly become a target for cybercriminal groups because they can provide direct access to development environments, authentication tokens, internal repositories, and CI/CD infrastructure.
Security researchers have warned for years that malicious or trojanized extensions can abuse developer trust to execute arbitrary code inside development environments. In recent months, multiple campaigns involving fake or compromised VS Code extensions have been linked to credential theft, malware delivery, and repository compromise operations.
GitHub has not publicly disclosed the name of the malicious extension involved in the incident. The company also has not confirmed whether any proprietary source code, credentials, or security-sensitive assets were exposed during the breach.