GitHub employee installs malicious VS Code extension, exposing 3,800 repos

A GitHub employee may have exposed about 3,800 internal projects after installing a malicious Visual Studio Code extension linked to TeamPCP. The attacker appears to have cloned these private repositories, but GitHub says there is no evidence that customer data was leaked. Security experts suggest the attack is part of a larger Shai-Hulud campaign that targets software supply chains. Investigations are ongoing, and it is not clear what specific data was taken from the repositories. This case suggests companies should be careful with third-party developer tools, as they may create security risks.

A GitHub employee installed a malicious Visual Studio Code extension, leading to a significant security breach that exposed approximately 3,800 of the company's internal repositories. The incident, attributed to a group known as TeamPCP, underscores the growing supply-chain risks associated with third-party developer tools. While GitHub reports no customer data was compromised, the event serves as a critical case study for engineering teams globally.

How Did the Breach Happen?

The breach occurred after an employee installed a malicious VS Code extension linked to the threat actor TeamPCP. This extension, running with the developer's permissions, quietly accessed and cloned around 3,800 of GitHub's internal code repositories, highlighting significant supply-chain security risks.

The attack chain began when an employee installed a poisoned VS Code extension masquerading as the legitimate "Nx Console" tool. According to reports from Sophos and Varonis, the extension used the employee's existing OAuth tokens to clone thousands of internal projects. Because the extension ran within the developer's IDE, it inherited all their access rights, allowing the attacker to bypass other security controls without exploiting a vulnerability in GitHub itself. Public statements gathered by TechCrunch confirm this was the primary intrusion vector.

Why Are IDE Extensions a Major Supply-Chain Risk?

This incident is part of a broader campaign targeting the software supply chain. Modern IDE extensions are a powerful weapon for attackers for several reasons:

Inherited Permissions: A single installation grants the extension the same access level as its user. In this case, one developer's machine provided a gateway to thousands of repositories.
Stealthy Updates: Extensions often auto-update silently, allowing a benign tool to be replaced with a malicious version without user interaction.
Broad File System Access: Plugins frequently request broad permissions to the workspace and file system, enabling them to read source code, shell history, and cached credentials like GitHub tokens.
Publisher Impersonation: Attackers can use typosquatting or hijack legitimate publisher accounts. The malicious extension mimicked the real "@nrwl" namespace, a tactic seen in the wider Mini Shai-Hulud campaign. That campaign, detailed in a StepSecurity report, has used self-propagating worms and OIDC token theft. According to Phoenix Security, a recent wave hit 323 packages with 16 million weekly downloads.

What Was the Impact of the Breach?

The 3,800 cloned repositories contained proprietary source code, internal configuration files, and deployment scripts. Following the breach, the attackers reportedly advertised the data archive for sale on underground forums with an asking price exceeding $50,000, according to Sophos.

While GitHub stated there is "no evidence" of customer data exposure, the stolen build logic and internal code could be weaponized in future attacks against downstream users or services that depend on GitHub's infrastructure. In related campaigns, TeamPCP has used exfiltrated tokens to create thousands of public GitHub repositories as dead-drops for staging malware.

How Was the Intrusion Discovered and Contained?

GitHub's response was rapid, focusing on containment and credential rotation.

According to industry reports, GitHub detected and contained the compromise of the employee device involving the poisoned VS Code extension. The malicious extension was removed from the VS Code Marketplace and the compromised endpoint was isolated. GitHub began rotating critical secrets, prioritizing the highest-impact credentials first, according to Infosecurity Magazine. The company also reviewed forensic logs and implemented behavioral detections to flag anomalous mass-repository clone activity.

Result: The breach was contained to internal repositories, with no customer repository data loss reported.

What Steps Should Engineering Teams Take Now?

This incident provides several urgent defensive lessons for all development teams:

Inventory all IDE extensions: Treat every plugin as enterprise software requiring vetting.
Control updates: Pin extension versions to specific, trusted commit hashes and disable automatic updates on developer workstations.
Rotate credentials: Assume exposure and rotate all tokens and SSH keys that have access to sensitive systems like GitHub, npm, or cloud providers.
Enforce strong authentication: Mandate SSO and MFA for all developer identities and use just-in-time (JIT) elevation for access to sensitive repositories.
Monitor for anomalous behavior: Implement behavioral detections to alert on suspicious activity, such as a single user cloning or downloading hundreds of repositories in a short period.
Centralize secrets management: Move long-lived credentials off developer laptops and into secure stores like Vault, AWS Secrets Manager, or Azure Key Vault.