Content Fans

GitHub breach exposes 3,800 repos via malicious VS Code extension

Serge Bulaev

Serge Bulaev

A GitHub breach may have exposed about 3,800 internal projects after an employee installed a malicious VS Code extension linked to TeamPCP. The attack appears to have only stolen company code, and GitHub quickly rotated secrets and isolated the infected computer. Investigators have not yet shared the full attack method, but experts suggest that reused tokens and extension malware might be involved. Security teams are advising better control of developer tools and careful monitoring. It remains uncertain if attackers tried to stay inside GitHub systems or if more attacks may follow.

GitHub breach exposes 3,800 repos via malicious VS Code extension

A major GitHub breach that exposed approximately 3,800 internal repositories was traced back to a single employee installing a malicious Visual Studio Code extension. The intrusion, first disclosed on May 20, 2026, stemmed from a poisoned version of the popular Nx Console extension, linking the attack to the threat actor TeamPCP.

Security researchers connect the incident to the broader Shai-Hulud worm, which has been compromising CI/CD pipelines since 2025. According to a Fortreum analysis, the same group compromised over 170 npm and PyPI packages in a single day in May 2026, leading to 518 million malicious downloads. This widespread campaign was corroborated by a Unit 42 report, which documented 373 tainted npm releases.

Key Statistics

How the GitHub breach unfolded

According to official GitHub statements, the attackers only exfiltrated company-internal code, and no customer data was impacted. The company's security team responded immediately by rotating all critical secrets, isolating the infected endpoint, and working to have the malicious extension version removed from the VS Code Marketplace.

The breach occurred when a GitHub employee installed a compromised VS Code extension impersonating a legitimate tool. This malware exfiltrated the developer's credentials, granting attackers access to approximately 3,800 of the company's private code repositories. The attack focused solely on internal company code, leaving customer data unaffected.

While GitHub has not published a full kill chain for the intrusion, research on related TeamPCP activity highlights potential tactics. These include GitHub Actions cache poisoning to steal OpenID Connect tokens from runner memory and maintainer credential theft to automate the mass publication of malicious packages. Experts believe the reuse of CI tokens across attacks suggests a consistent playbook.

Wider Shai-Hulud waves in 2025-2026

The campaign's lineage traces back to September 2025, when Shai-Hulud 2.0 backdoored 796 npm packages with over 20 million weekly downloads. A smaller variant, "Mini Shai-Hulud," emerged in April 2026, causing the largest single-hour malicious package burst ever recorded in the registry. The attacks escalated in May with the takeover of the npm maintainer "atool," which led to 323 malicious releases impacting Alibaba's AntV ecosystem and other libraries.

Immediate lessons for developer environments

In response to the GitHub episode, security experts recommend immediate measures to harden developer environments against similar supply-chain attacks. Key safeguards include:

  1. Enabling Workspace Trust and removing unused extensions.
  2. Enforcing organization-wide allowlists for IDE add-ons.
  3. Rotating secrets exposed to developer laptops and CI runners.
  4. Monitoring for unusual repo-clone patterns and outbound traffic from editor processes.

What remains uncertain

GitHub's investigation is ongoing, with teams analyzing logs, validating secret rotation, and monitoring for any follow-on activity. It remains unclear if the attackers attempted to establish persistence within GitHub's systems beyond the initial data theft. With the Mini Shai-Hulud source code now public, security analysts warn that copycat attacks and new variants are likely, underscoring the need for continuous vigilance and proactive security controls.

What exactly happened in the GitHub breach?

On May 19, 2026, GitHub confirmed that a single employee workstation was compromised after the worker installed a malicious Visual Studio Code extension that impersonated the legitimate "Nx Console" tool. The extension gave the TeamPCP group enough access to clone roughly 3,800 internal repositories. GitHub emphasizes that customer code and user data were not touched; only corporate prototypes, ci-configs, and some unreleased features were copied. The event is now tracked as part of the broader Shai-Hulud supply-chain campaign.

How can a VS Code extension break into a company's GitHub?

VS Code extensions run with the same rights as the user that launches the editor. Once installed, the rogue package:

  1. Read the employee's local Git credentials file (~/.git-credentials)
  2. Called GitHub's REST API with the stolen personal-access token
  3. Cloned internal repos through the API, bypassing SSO prompts because the token was already scoped for production use

Because GitHub's internal repos share the same domain as public ones, the traffic looked like normal Git operations and went unnoticed for approximately nine hours.

Which other projects have been hit by the same threat actor?

TeamPCP's "Mini-Shai-Hulud" waves in April-May 2026 show the group is widening its aim:

Ecosystem Packages touched Weekly downloads
npm 373 poisoned versions (TanStack, Bitwarden CLI, SAP libs) 518 million
PyPI mistralai, guardrails-ai and 40+ others 92 million
GitHub internal 3,800 repos n/a

All of those packages carried valid SLSA Build Level 3 provenance, the highest supply-chain signature, proving that even "verified" builds can be tainted when CI infrastructure is hijacked.

What has GitHub done to stop repeat incidents?

GitHub's public statements list four concrete steps taken within 24 hours:

  • Rotated every critical secret, starting with the highest-impact tokens
  • Isolated the affected laptop and removed the malicious extension
  • Audited clone logs to confirm no customer data left the perimeter
  • Added anomaly rules that alert on mass-read events from a single token

The company has not yet published a full extension-hardening playbook, but insiders say an IDE allow-list policy and mandatory EDR on dev endpoints are being piloted.

How can individual developers and teams protect themselves today?

  1. Enable VS Code "Workspace Trust" - blocks code execution from unknown folders
  2. Pin extension versions in .vscode/extensions.json and review diffs on updates
  3. Run localhost servers only when needed; close them before opening e-mail links
  4. Scope GitHub tokens to the single repo or workflow that needs them
  5. Route outbound Git traffic through an SSH bastion that logs unusual clone volume

For enterprise settings, centralized extension allow-listing and device-level EDR are the controls most frequently linked to early detection of similar intrusions.