Content Fans

GitHub breach exposes 3,800 repos after malicious VS Code extension install

Serge Bulaev

Serge Bulaev

A GitHub breach was confirmed on May 20, 2026, after an employee installed a malicious Visual Studio Code extension linked to TeamPCP. Attackers reportedly gained access to about 3,800 internal repositories by stealing the employee's credentials through the extension. This may have exposed sensitive information and secrets, but GitHub says there is no evidence that public customer repositories were affected. Studies suggest that a small percentage of VS Code extensions display suspicious behavior, showing that developer tools can be a way for attackers to get in. Experts recommend checking and controlling extensions, rotating secrets, and monitoring for unusual activity to reduce risks.

GitHub breach exposes 3,800 repos after malicious VS Code extension install

The recent GitHub breach that exposed 3,800 repos after a malicious VS Code extension was installed highlights a critical supply chain vulnerability. Confirmed on May 20, 2026, the attack gave a threat actor visibility into thousands of internal projects, as detailed in a Varonis breach analysis.

This incident serves as a stark case study, demonstrating how compromising a single developer endpoint can lead to platform-wide exposure and underscoring the growing threat posed by the rapidly evolving TeamPCP group.

Key Statistics

How the malicious extension unlocked 3,800 internal projects

Attackers gained access by tricking an employee into installing a poisoned Visual Studio Code plugin. Running with the developer's full privileges, the malicious extension harvested credentials and API tokens, which were then used to access and read approximately 3,800 internal repositories from the compromised workstation.

The attack's fingerprint aligns with tactics from TeamPCP's March 2026 campaign. According to Flare's Threat Alert: TeamPCP, the group has pivoted from ransomware to sophisticated software supply chain attacks. Researchers note that TeamPCP systematically backdoors trusted developer tools like Trivy and KICS to steal CI/CD secrets before spreading across ecosystems like npm, PyPI, and Docker Hub.

GitHub repositories accessed after employee installed malicious VS Code extension linked to TeamPCP - why it matters

The access to 3,800 internal repositories is significant because they often contain more than just source code. Build scripts, OAuth keys, code signing materials, and confidential design documents are frequently stored alongside code. TeamPCP is known to focus on "compromising additional secrets and exfiltrating massive amounts of data," raising concerns over:

  • Widespread secret leakage requiring extensive token rotation and key invalidation.
  • Potential exposure of unreleased product features or internal vulnerability reports.

Despite these risks, GitHub has stated there is no evidence that the breach affected customer repositories on its public platform, indicating the incident was contained to corporate systems.

Extension ecosystems as an attack surface

Developer extension ecosystems are a proven attack surface. Research has documented that many VS Code extensions exhibit suspicious behavior, with some directly accessing SSH keys or cloud tokens. Further research has documented malicious plugins that impersonate trusted vendors, activate automatically, and exfiltrate data via stealth channels. Attackers can therefore bypass traditional perimeter defenses by targeting the tools developers willingly install on their machines.

Defensive actions organisations have already adopted

Security experts recommend immediate action focused on developer endpoint hygiene, with the most effective defenses centered on extension governance and proactive secret rotation:

  1. Inventory every VS Code plugin in use and remove unapproved publishers.
  2. Pin extension versions in devcontainer.json files and disable auto-updates on build agents.
  3. Enforce allowlists for IDE plugins, reusable GitHub Actions and composite workflows.
  4. Rotate PATs, OAuth tokens and signing keys that were reachable from the compromised workstation.
  5. Correlate endpoint EDR telemetry with GitHub audit logs to spot unusual bulk clone events.

Implementing these controls can significantly reduce attacker dwell time and limit lateral movement, containing the blast radius if a malicious extension bypasses marketplace security checks.

Signs TeamPCP campaigns will continue

TeamPCP has demonstrated both scale and sophistication, signaling that its campaigns will likely continue. The group previously compromised a significant number of servers in cloud-native campaigns and deployed a self-replicating npm worm that spread across multiple developer ecosystems in just one week. Their consistent targeting of popular developer packages suggests a strategy focused on rapid, multi-ecosystem propagation. For engineering leaders, the key takeaway is to adopt a zero-trust mindset: treat every extension, third-party action, and container image as potentially hostile until verified.

How did attackers reach 3,800 GitHub-internal repositories?

A single malicious VS Code extension - masquerading as the legitimate Nx Console add-on - was installed by a GitHub employee.
Once active, the extension harvested credentials that let the threat actor clone or read every internal repo reachable from that endpoint, about 3,800 in total.
The incident shows how one developer tool can become a universal key to vendor source code.

Who is behind the campaign and what else have they done?

Microsoft and independent researchers attribute the breach to TeamPCP, a group also tracked as PCPcat, CanisterWorm, and ShellForce.
During 2026 the same actor:
- hijacked Trivy, KICS, and LiteLLM, tools downloaded millions of times by security teams
- inserted a self-spreading npm worm that reached GitHub Actions, Docker Hub, OpenVSX and PyPI in one week
Unit 42 estimates the group has exfiltrated 300 GB of secrets from roughly half a million machines since December 2025.

Why are VS Code extensions such a popular supply-chain weapon?

Extensions run with the same OS rights as the user, can read SSH keys, cloud tokens and source code, and updates happen silently in the background.
Academic research has found that a significant portion of marketplace extensions show suspicious behavior, with some extensions accessing SSH keys directly.
In short, one click in the editor can bypass firewalls, EDR and all repository-level controls.

What did GitHub say about customer data?

GitHub's public update confirms the attacker reached only internal repositories; there is no evidence customer code, issues or packages were modified.
Still, the company treated every token, Actions secret and signing key that touched the affected endpoint as compromised and rotated them, showing how internal breaches ripple outward to CI/CD workflows.

What concrete steps reduce IDE-extension risk today?

  1. Create an allow-list: block all VS Code extensions except approved Publisher IDs
  2. Pin versions in devcontainer.json or policy file; disable auto-updates
  3. Scan ~/.vscode/extensions for obfuscated .js files, unusual network calls or .bat/.ps1 scripts
  4. Rotate secrets immediately if any developer installed unvetted add-ons in the last six months
  5. Monitor repository access logs for bulk clones from developer IPs - often the first visible sign of extension-based compromise

Following these controls turns a once-invisible risk into a managed, measurable part of your supply-chain security program.