How a Poisoned VS Code Extension Led to GitHub’s Internal Repository Breach

Overview of the Incident

On May 20, GitHub confirmed that attackers exploited a compromised Visual Studio Code extension on an employee’s machine, gaining unauthorized access to approximately 3,800 internal repositories. The incident, which unfolded within a broader wave of supply chain attacks, underscores the growing threat of software supply chain worms. The threat group behind the breach, tracked by Google Threat Intelligence Group as UNC6780 and known publicly as TeamPCP, has taken credit for the infiltration and is now advertising the stolen repositories for sale at prices starting from $50,000. According to GitHub, the attackers’ claim is “directionally consistent” with internal findings.

How a Poisoned VS Code Extension Led to GitHub’s Internal Repository Breach — Source: venturebeat.com

Attack Vector: Poisoned VS Code Extension

The breach vector was a malicious version of a Visual Studio Code extension installed on a GitHub employee’s device. While the specific extension has not been named, the compromised extension enabled the attackers to traverse the internal network and exfiltrate source code from private repositories. According to GitHub’s official statement: “We detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately.” The company also noted that critical secrets were rotated overnight, prioritizing the highest-impact credentials.

Scope of the Data Exfiltration

GitHub has assessed that the stolen data is limited to internal repositories—those used for the company’s internal operations—rather than customer-facing code. The internal repositories contain sensitive assets such as infrastructure configurations, deployment scripts, staging credentials, and internal API schemas. The attackers claim to have exfiltrated approximately 3,800 repositories, which is consistent with GitHub’s investigation. This type of access is considered an infrastructure intelligence leak rather than a standard data breach, as it provides deep insight into GitHub’s internal operations.

The Threat Group: TeamPCP (UNC6780)

TeamPCP, formally tracked by the Google Threat Intelligence Group as UNC6780, is the group behind the attack. The group has been linked to multiple waves of the Mini Shai-Hulud supply chain worm, which has been active since March. Security vendors including Trend Micro, StepSecurity, and Snyk have documented at least seven waves of this worm. The group’s modus operandi involves compromising developer tools and SDKs to inject malicious code into software supply chains.

Broader Supply Chain Context

The GitHub breach occurred alongside several related incidents, painting a grim picture of supply chain security:

On the same day, a new Mini Shai-Hulud wave forged valid cryptographic provenance on 639 malicious npm package versions.
One day earlier, attackers compromised a VS Code extension with 2.2 million installs.
The same day, Wiz discovered that TeamPCP had compromised Microsoft’s durabletask Python SDK on PyPI.
Also that morning, Verizon’s 2026 Data Breach Investigations Report revealed that 67% of employees access AI tools through non-corporate accounts.

These events highlight how multiple supply chain surfaces can be compromised in a short window, amplifying the impact of a single threat group.

Timeline and Disclosure

Dark Web Informer reported that TeamPCP’s listing appeared on a hacking forum hours before GitHub’s initial disclosure, advertising approximately 4,000 private repositories. Hackmanac independently confirmed the listing. An X account linked to TeamPCP, xploitrsturtle2, posted after GitHub’s confirmation: “GitHub knew for hours, they delayed telling you and they won’t be honest in the future. What an amazing run, it’s been an honor to play around with the cats over the past few months.” This suggests the attackers had prolonged access and are taunting the company.

Implications and Mitigation

This incident serves as a stark reminder that even major technology platforms are not immune to supply chain attacks. Key takeaways include:

Developer Tool Hygiene: Organizations must rigorously vet all extensions and plugins used in development environments, especially on critical infrastructure.
Secrets Rotation: Rapid rotation of credentials, as GitHub performed, is crucial to limit damage after a breach.
Supply Chain Monitoring: Continuous monitoring of third-party components and their provenance is essential to detect malicious packages.
Employee Awareness: Training employees to recognize suspicious extensions and phishing attempts can reduce the risk of initial compromise.

GitHub has not yet released a detailed post-mortem, but the incident underscores the need for stronger security measures across the software supply chain.

Conclusion

The theft of nearly 4,000 internal GitHub repositories via a poisoned VS Code extension illustrates the sophisticated tactics used by threat groups like TeamPCP. As supply chain worms continue to evolve, organizations must adopt a proactive stance, combining technical controls with user education to safeguard critical infrastructure. The attacks on Microsoft’s Python SDK and npm packages on the same day demonstrate the interconnected nature of modern software development—and the cascading risks when one link in the chain is broken.

Tags: