Attack on GitHub: Data from 3800 internal repositories stolen
GitHub has confirmed an attack via an extension for Visual Studio Code. The stolen data is apparently for sale on a cybercrime forum.
(Image: Sundry Photography/Shutterstock.com)
Attackers apparently had access to GitHub's internal repositories. The operator of the version control platform initially confirmed to the platform Bleeping Computer and later on X that the company was investigating the unauthorized access to repositories.
According to the post on X, only internal repositories are affected. There are no indications that customer information has been exfiltrated. Should this be the case, GitHub has announced that it will inform those impacted directly through the usual channels.
Malicious code in an extension for Visual Studio Code
Apparently, the entry point was malicious code in a Visual Studio Code extension on an employee's device. According to its statements, GitHub has isolated the endpoint and immediately initiated incident response measures.
(Image:Â AliaAyah / Shutterstock)
On September 22 and 23, the heise devSec 2026 will take place. The tenth edition of the conference on secure software development is moving to Marburg this year. This year's focus will be on the secure software supply chain and the security aspect of Agentic AI in software development, among other things.
Furthermore, the motto is "Secure software starts before the first line of code".
Infected extensions are also repeatedly found on the official marketplaces of Microsoft and Eclipse. A prominent example was GlassWorm in October 2025. In spring 2026, there were numerous extensions with malicious code, which the creators presumably released as test balloons for a ransomware attack.
TeamPCP claims the attack
TeamPCP has claimed the attack in a cybercrime forum. The group is said to be responsible for numerous recent incidents, including infected npm packages from SAP and an attack on the open-source security scanner Trivy. In addition, TeamPCP recently released the source code for the npm worm Shai-Hulud.
(Image:Â Bleeping Computer)
The attacker group speaks of about 4000 repositories, which roughly corresponds to the number of 3800 repositories reported in a later X post by GitHub.
Videos by heise
TeamPCP is auctioning the data via the cybercrime forum and only extorting GitHub between the lines. In the text, however, the group explicitly emphasizes that it does not want any ransom and does not want to extort GitHub, but wants to sell the stolen data to the highest bidder. However, they will not accept bids below 50,000 US dollars.
If a buyer is found, the group assures that all data will be deleted. If no buyer is found, they would publish the data for free. That sounds a bit like extortion.
(rme)
