GitHub reports data theft affecting thousands of internal repositories

GitHub, the widely used software development platform owned by Microsoft, has confirmed a security breach that allowed attackers to access and steal data from approximately 3,800 internal code repositories.

The company disclosed details of the incident through a series of posts published on X, stating that its investigation into the breach remains active. While GitHub acknowledged that internal repositories were affected, the company emphasised that it has not found evidence that customer information stored outside its internal repositories was compromised.

According to GitHub, "there is no evidence of impact to customer information stored outside of GitHub's internal repositories." However, the company noted that its investigation is ongoing as it assesses the full scope of the incident.

GitHub explained that the breach originated from the compromise of an employee's device. Any said it “detected and contained a compromise of an employee device involving a poisoned VS Code extension,” referring to a "delicious plug-in associated with Visual Studio Code, one of the most widely used code editors among software developers.

The incident highlights a growing cybersecurity trend in which threat actors increasingly target trusted open-source software projects and development tools. By compromising software components that developers routinely install and rely upon, attackers can potentially gain access to large numbers of systems simultaneously.

Security experts have warned that coding extensions, developer libraries, and open-source dependencies have become attractive targets because they provide a pathway into software development environments used by organisations worldwide. A successful compromise of a widely adopted project can significantly amplify an attack's reach.

GitHub did not disclose the name of the compromised Visual Studio Code extension involved in the incident. As a result, developers and organisations have not yet been provided with details on the specific plug-in that attackers allegedly used in the breach.

Reports from cybersecurity news outlets The Record and BleepingComputer indicate that a hacking group known as TeamPCP has claimed responsibility for the intrusion. According to those reports, the group has also allegedly offered the stolen GitHub data for sale on a cybercrime forum.

At the time of the reports, GitHub had not publicly confirmed whether TeamPCP was responsible for the breach. The company also did not immediately respond to requests seeking additional information about the incident.

Questions remain regarding whether GitHub has received direct communication from the attackers, including any ransom demands or extortion attempts related to the stolen data. The company has not publicly disclosed any such communications.

TeamPCP has previously been linked to other high-profile cyber incidents. The group previously claimed responsibility for a breach involving the European Commission that reportedly resulted in the theft of more than 90 gigabytes of data from the organisation’s systems.

According to reports concerning that earlier incident, the attackers obtained access to the European Commission’s cloud through a separate compromise involving Trivy, a security-focused vulnerability scanning platform. In that attack, hackers allegedly distributed information-stealing malware to downstream users of Trivy, enabling them to obtain sensitive credentials and access protected systems.

The GitHub breach also comes amid a broader wave of attacks targeting software supply chains and developer ecosystems. In recent months, attackers have increasingly focused on platforms and tools used by programmers to distribute malware and steal sensitive credentials from large numbers of victims.

One notable example involved OpenAI, which was recently affected by a separate but similar attack. In that incident, attackers reportedly compromised TanStack, a platform widely used by web developers, and distributed malicious software updates.

The malicious updates allegedly enabled attackers to steal passwords, authentication tokens, and other sensitive information from affected users who downloaded the compromised software packages.

These incidents underscore the growing importance of securing software development environments and the tools that developers rely on daily. As organisations increasingly depend on open-source projects, third-party libraries, and extension ecosystems, attackers continue to seek opportunities to exploit trusted software components to gain broader access to systems and data.

While GitHub says it has contained the compromise and has not identified evidence of customer data exposure outside of its internal repositories, the company’s main activity remains active. Additional details about the breach, the affected repositories, the attackers' methods, and the potential consequences for GitHub’s operations will be provided as the investigation progresses.

For now, the incident serves as another reminder of the growing risks posed by software supply chain attacks and the increasing sophistication of threat actors targeting the global developer community.