Contact us
Contact us

News

About

Home Crypto News Malicious VS Code extension stole 3,800 GitHub internal repos

Malicious VS Code extension stole 3,800 GitHub internal repos

Author Whitewallet Research
Posted: 21 May 2026, 10:08 CET 2 min read

A malicious Visual Studio Code extension exfiltrated about 3,800 GitHub internal repositories after a developer installed it unintentionally, GitHub said Monday.

GitHub detected a breach on Monday after a developer unintentionally installed a malicious Visual Studio Code extension that exfiltrated about 3,800 internal repositories. The company said the activity affected only GitHub-internal repositories and that it has found no evidence so far that customer data stored outside those internal repositories was accessed.

GitHub’s chief information security officer, Alexis Wales, wrote that some internal repositories include customer-related material, for example excerpts of support interactions. GitHub began rotating critical secrets immediately, prioritizing the highest-impact credentials, and is analyzing logs, validating rotations and monitoring infrastructure for further activity. The company said it will publish a fuller report when the investigation is complete.

GitHub did not name an attacker but referenced a claim by the hacking group TeamPCP that it accessed roughly 3,800 internal repositories, a figure the company says matches its review so far. TeamPCP has ties to the Mini Shai-Hulud worm and has used stolen CI/CD credentials in supply chain attacks. The group has offered the stolen GitHub data for sale for $50,000 and warned it will leak the material if no offer is received.

Security vendors described the incident as part of a pattern of attackers targeting developer tooling and supply chains. Ilkka Turunen, Field CTO at Sonatype, warned that developers are now frequent targets for supply chain attacks and said AI-assisted tools are shortening the time between compromise and exploitation.

The breach followed a separate, short-lived backdoor in the Nx Console VS Code extension, which has about 2.2 million installs. A malicious update that collected credentials when a developer opened a workspace was removed from the VS Code Marketplace within 18 minutes and from Open VSX within 36 minutes. Shaun Brown, technical product marketer at Aikido Security, commented, “Caught in 18 minutes and prevented exposure are not the same thing,” and recommended measures such as minimum package and extension ages to reduce the risk of similar attacks reaching large user bases.

GitHub said it has not reported compromises of customer-owned repositories or enterprise systems outside its internal environment and will use incident response channels to notify any affected parties if new impact is discovered.

Whitewallet Research
Author

Articles by this author

Malware in Pirated PC Games Steals Passwords and Crypto
Malware in Pirated PC Games Steals Passwords and Crypto
jun 8
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
jun 8
Custodial vs non-custodial wallet
Custodial vs non-custodial wallet
may 30
What is a crypto seed phrase
What is a crypto seed phrase
may 25
Seed phrase vs private key
Seed phrase vs private key
may 21

Latest News

MORE
Adam Back: Bitcoin won’t fire miners; Dashjr readies fork

Adam Back: Bitcoin won’t fire miners; Dashjr readies fork

jun 12 2 min read
Coinbase Lets AI Agents Trade Inside User-Controlled Limits

Coinbase Lets AI Agents Trade Inside User-Controlled Limits

jun 12 2 min read
Hackers Impersonate ChatGPT, Claude and DeepSeek

Hackers Impersonate ChatGPT, Claude and DeepSeek

jun 11 2 min read
Delaware advances bill to ban crypto ATMs after scam surge

Delaware advances bill to ban crypto ATMs after scam surge

jun 11 2 min read
MORE