GitHub has revealed a significant internal security breach after attackers gained access to nearly 3,800 private repositories through a compromised employee device. The incident was traced back to a malicious extension installed within Visual Studio Code, highlighting growing concerns around software development environments and third-party tools.
The security issue surfaced earlier this week when GitHub identified suspicious activity on an employee endpoint. Internal investigations linked the breach to a poisoned Visual Studio Code extension that had infiltrated the device. The company moved quickly to isolate the affected system and launch containment procedures. Sensitive credentials and secrets were also rotated immediately, with priority given to high-risk access points.
GitHub clarified that the attack did not impact customer repositories, user code, or customer information hosted on its platform. The compromise appears limited to internal systems. However, the scale of the incident has drawn attention because of GitHub’s central role in the global software ecosystem.
Cybercriminal group TeamPCP has reportedly claimed responsibility for the attack. The group allegedly attempted to sell thousands of private GitHub repositories and source code assets online. While the attackers claimed to possess roughly 4,000 repositories, GitHub’s findings place the number slightly lower at around 3,800.
The breach also reflects a wider trend. TeamPCP has increasingly targeted software supply chains and developer tools during 2026. Security researchers have connected the group to attacks involving developer ecosystems and software packages, exposing how attackers are shifting from direct infrastructure attacks to infiltrating trusted tools used by engineers.
The incident also raises fresh questions around Visual Studio Code extensions. Such tools often operate with extensive permissions, giving them deep visibility into source code, credentials and development pipelines. As developer environments become increasingly critical to business operations, they are emerging as high-value targets for cybercriminals.
