CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 21, 2026

GitHub Hacked - Internal Source Code Repositories Compromised via Employee Device - CyberSecurityNews

CyberSecurityNews Archived May 21, 2026 ✓ Full text saved

GitHub Hacked - Internal Source Code Repositories Compromised via Employee Device CyberSecurityNews

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Attack News GitHub Hacked – Internal Source Code Repositories Compromised via Employee Device By Guru Baran May 20, 2026 GitHub has confirmed unauthorized access to its internal repositories after detecting a compromised employee device infected through a malicious Visual Studio Code extension, the company disclosed in a series of official statements on May 20, 2026. The Microsoft-owned code hosting platform said it identified and contained the breach after a poisoned VS Code extension was used to compromise an employee’s endpoint. 1/ WE ARE SHARING ADDITIONAL DETAILS REGARDING OUR INVESTIGATION INTO UNAUTHORIZED ACCESS TO GITHUB'S INTERNAL REPOSITORIES. YESTERDAY WE DETECTED AND CONTAINED A COMPROMISE OF AN EMPLOYEE DEVICE INVOLVING A POISONED VS CODE EXTENSION. WE REMOVED THE MALICIOUS EXTENSION VERSION,… — GitHub (@github) May 20, 2026 GitHub immediately removed the malicious extension version, isolated the affected device, and activated its incident response procedures. GitHub’s investigation indicates the attacker successfully exfiltrated data from GitHub-internal repositories only, with no confirmed impact on public or customer-hosted repositories at this stage. The company stated that a threat actor’s claims of accessing approximately 3,800 repositories are “directionally consistent” with their findings so far. 2/ OUR CURRENT ASSESSMENT IS THAT THE ACTIVITY INVOLVED EXFILTRATION OF GITHUB-INTERNAL REPOSITORIES ONLY. THE ATTACKER’S CURRENT CLAIMS OF ~3,800 REPOSITORIES ARE DIRECTIONALLY CONSISTENT WITH OUR INVESTIGATION SO FAR. — GitHub (@github) May 20, 2026 A notorious threat actor operating under the alias TeamPCP has claimed responsibility for the breach, alleging the exfiltration of proprietary organization data and source code. The group is reportedly offering the stolen dataset for sale on underground cybercrime forums, demanding offers exceeding $50,000. Their own claims cite roughly 4,000 private repositories tied directly to GitHub’s main platform. GitHub moved quickly to reduce further exposure following initial detection. Key containment actions included: Rotating critical secrets and credentials overnight, prioritizing highest-impact credentials first Isolating the compromised employee endpoint Removing the malicious VS Code extension version from circulation Initiating continuous log analysis to detect any follow-on attacker activity The use of a malicious VS Code extension as an initial access vector highlights a growing threat in developer-targeted supply chain attacks. Threat actors increasingly target developer tooling, IDE extensions, CI/CD plugins, and package managers to gain footholds inside high-value technology organizations. A trusted extension turning malicious can bypass traditional security controls and exfiltrate sensitive credentials or tokens silently in the background. GitHub confirmed it continues to analyze logs, validate secret rotation completeness, and monitor for secondary activity. 4/ WE CONTINUE TO ANALYZE LOGS, VALIDATE SECRET ROTATION, AND MONITOR FOR ANY FOLLOW-ON ACTIVITY. WE WILL TAKE ADDITIONAL ACTION AS THE INVESTIGATION WARRANTS. — GitHub (@github) May 20, 2026 The company stated it will take additional remediation actions as warranted by the investigation and has committed to publishing a fuller incident report once the review is complete. GitHub has not confirmed any customer data exposure at this time. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Claude Code’s Network Sandbox Vulnerability Exposes User Credentials and Source Code Hackers Abuse Scheduled Tasks to Maintain Persistence in FrostyNeighbor Attacks 600+ npm Packages Compromised in New Mini Shai-Hulud Supply Chain Attack New NGINX 0-Day RCE “nginx-poolslip” Affects Millions of NGINX Servers Hackers Abuse OAuth Device Authorization Flow to Steal Microsoft 365 Tokens Latest News Cyber Security News WantToCry Ransomware Abuses SMB Services to Remotely Encrypt Files Cyber Security Two U.S. Executives Plead Guilty in India-Based Tech-Support Fraud Schemes Cyber Security News New GhostTree Attack Causing EDR Products to Hang and Leave Files Unscanned Cyber Security Claude Code’s Network Sandbox Vulnerability Exposes User Credentials and Source Code Cyber Security News Gremlin Stealer Stores C2 URLs and Exfiltration Paths in Encrypted Resource Sections
    💬 Team Notes
    Article Info
    Source
    CyberSecurityNews
    Category
    ◇ Industry News & Leadership
    Published
    May 21, 2026
    Archived
    May 21, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗