GitHub says internal repos exfiltrated after poisoned VS Code extension attack

DevOps

Initial assessment says customer data spared while users wonder what else may have slipped out

GitHub, the world’s biggest code repository and DevOps
platform, fell victim to a malicious Visual Studio Code (VS Code) extension. The company’s initial assessment is that only internal repositories
were exfiltrated.

The incident was reported by GitHub on X, with follow-up posts revealing a “poisoned
VS Code extension” as the cause. The Microsoft-owned code shack continues to “analyze
logs, validate secret rotation, and monitor for any follow-on activity.” 

One GitHub post
references “the attacker’s current claims of ~3,800 repositories” as
consistent with its investigation. This may refer to a post attributed to TeamPCP, the malware crew linked to the Shai-Hulud worm, the code for which has been published and caused widespread damage. 

In
a post, the crew advertised GitHub’s internal source code for sale, claiming around 4,000 repositories. They said it was not a ransom and if no buyer was found, they would leak the code for free. Claims like these should be treated with caution.

A key concern for GitHub users is whether private repositories are at risk, either immediately or in the future if the attackers have
gained a foothold into internal systems via stolen credentials. Risks include
leakage of commercial code and credentials. Although best practice is not to
check secrets into any repository, public or private, some organizations are less disciplined about this when repositories are private.

Last month, Wiz Research discovered
a remote code execution flaw in GitHub.com and GitHub Enterprise Server (the
self-hosted version), which the researchers said was “remarkably easy to
exploit.” The vulnerability was discovered using AI.

Developer reactions to GitHub’s latest problems combine alarm
and resignation – plus some humor. “How did the attackers find a large
enough uptime window to get in?” quipped
one.

GitHub is in some difficulty. This compromise comes after a
surge in npm attacks, many related to Shai-Hulud code, which the company has
failed to prevent despite being aware of the issue since September 2025.
Further, the platform has reliability issues caused in part by AI bots hoovering
public code to feed large language models – problems that led HashiCorp co-founder Mitchell Hashimoto to declare GitHub “no longer a
place for serious work.”

Another said
that “the era where a developer machine with source code access also has
access to meaningful security systems should be over. Internal repository
access should mean nothing… GitHub compromise could happen at any time, even
from GitHub themselves.” 

Issues with cloud platforms also increase the appeal of
self-hosted systems such as the open source Forgejo, which powers Berlin-based Codeberg, a GitHub alternative.

GitHub has promised a fuller report “once the
investigation is complete,” presumably posted to its own site rather than
only reported on X as is currently the case. ®