MICROSOFT-OWNED code-hosting platform GitHub confirmed on 20 May 2026 that approximately 3,800 internal repositories were impacted in a supply chain attack. The intrusion stemmed from a poisoned VS Code extension installed by an employee, with GitHub stating the activity involved exfiltration of GitHub-internal repositories only; the attacker’s claims of ~3,800 repositories were directionally consistent with their investigation so far.
The hacking group TeamPCP, known for recent supply chain attacks, claimed the breach on an underground forum and offered stolen information for at least $50,000. GitHub rotated critical secrets in response and said it would continue to analyse logs, validate secret rotation, and monitor for follow-on activity, with a full incident report promised later.
According to Aikido Security researcher Charlie Eriksen, VS Code extensions can have access to all data on a developer’s machine, underscoring why developer tooling remains a prime target in supply chain attacks.