HomeCyber Attack News
GitHub Hacked – Internal Source Code Repositories Compromised via Employee Device
By Guru Baran
May 20, 2026
GitHub has confirmed unauthorized access to its internal repositories after detecting a compromised employee device infected through a malicious Visual Studio Code extension, the company disclosed in a series of official statements on May 20, 2026.
The Microsoft-owned code hosting platform said it identified and contained the breach after a poisoned VS Code extension was used to compromise an employee’s endpoint.
1/ WE ARE SHARING ADDITIONAL DETAILS REGARDING OUR INVESTIGATION INTO UNAUTHORIZED ACCESS TO GITHUB'S INTERNAL REPOSITORIES.
YESTERDAY WE DETECTED AND CONTAINED A COMPROMISE OF AN EMPLOYEE DEVICE INVOLVING A POISONED VS CODE EXTENSION. WE REMOVED THE MALICIOUS EXTENSION VERSION,…
— GitHub (@github) May 20, 2026
GitHub immediately removed the malicious extension version, isolated the affected device, and activated its incident response procedures.
GitHub’s investigation indicates the attacker successfully exfiltrated data from GitHub-internal repositories only, with no confirmed impact on public or customer-hosted repositories at this stage.
The company stated that a threat actor’s claims of accessing approximately 3,800 repositories are “directionally consistent” with their findings so far.
2/ OUR CURRENT ASSESSMENT IS THAT THE ACTIVITY INVOLVED EXFILTRATION OF GITHUB-INTERNAL REPOSITORIES ONLY. THE ATTACKER’S CURRENT CLAIMS OF ~3,800 REPOSITORIES ARE DIRECTIONALLY CONSISTENT WITH OUR INVESTIGATION SO FAR.
— GitHub (@github) May 20, 2026
A notorious threat actor operating under the alias TeamPCP has claimed responsibility for the breach, alleging the exfiltration of proprietary organization data and source code.
The group is reportedly offering the stolen dataset for sale on underground cybercrime forums, demanding offers exceeding $50,000. Their own claims cite roughly 4,000 private repositories tied directly to GitHub’s main platform.
GitHub moved quickly to reduce further exposure following initial detection. Key containment actions included:
Rotating critical secrets and credentials overnight, prioritizing highest-impact credentials first
Isolating the compromised employee endpoint
Removing the malicious VS Code extension version from circulation
Initiating continuous log analysis to detect any follow-on attacker activity
The use of a malicious VS Code extension as an initial access vector highlights a growing threat in developer-targeted supply chain attacks.
Threat actors increasingly target developer tooling, IDE extensions, CI/CD plugins, and package managers to gain footholds inside high-value technology organizations.
A trusted extension turning malicious can bypass traditional security controls and exfiltrate sensitive credentials or tokens silently in the background.
GitHub confirmed it continues to analyze logs, validate secret rotation completeness, and monitor for secondary activity.
4/ WE CONTINUE TO ANALYZE LOGS, VALIDATE SECRET ROTATION, AND MONITOR FOR ANY FOLLOW-ON ACTIVITY. WE WILL TAKE ADDITIONAL ACTION AS THE INVESTIGATION WARRANTS.
— GitHub (@github) May 20, 2026
The company stated it will take additional remediation actions as warranted by the investigation and has committed to publishing a fuller incident report once the review is complete.
GitHub has not confirmed any customer data exposure at this time.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
Claude Code’s Network Sandbox Vulnerability Exposes User Credentials and Source Code
Hackers Abuse Scheduled Tasks to Maintain Persistence in FrostyNeighbor Attacks
600+ npm Packages Compromised in New Mini Shai-Hulud Supply Chain Attack
New NGINX 0-Day RCE “nginx-poolslip” Affects Millions of NGINX Servers
Hackers Abuse OAuth Device Authorization Flow to Steal Microsoft 365 Tokens
Latest News
Cyber Security News
WantToCry Ransomware Abuses SMB Services to Remotely Encrypt Files
Cyber Security
Two U.S. Executives Plead Guilty in India-Based Tech-Support Fraud Schemes
Cyber Security News
New GhostTree Attack Causing EDR Products to Hang and Leave Files Unscanned
Cyber Security
Claude Code’s Network Sandbox Vulnerability Exposes User Credentials and Source Code
Cyber Security News
Gremlin Stealer Stores C2 URLs and Exfiltration Paths in Encrypted Resource Sections