A malicious VS Code extension breached GitHub’s internal repositories after an employee installed a trojanised extension from the official marketplace. The incident led to the exfiltration of roughly 3,800 GitHub-internal repositories, with GitHub confirming the extension was detected and contained, and that the data exfiltrated related to internal repositories.
The cybercrime group TeamPCP claimed the attack on the Breached cybercrime forum, asserting access to GitHub source code and roughly 4,000 private repositories, and they are demanding a minimum of $50,000 for the stolen data. GitHub states there is currently no evidence that customer data stored outside the affected repositories has been compromised, and the investigation is ongoing.
The company’s public statements, including a May 20, 2026 timeline, note that the malicious extension version was removed and the endpoint isolated as incident response began.