A supply chain attack was conducted against GitHub when a GitHub employee installed a malicious VS Code extension, which allowed the TeamPCP hacking group to access and exfiltrate data from approximately 3,800 internal repositories. The attackers claimed to have stolen source code and internal organizational information, offering it for sale. GitHub confirmed the breach and took immediate remediation steps including secret rotation and ongoing investigation. The incident underscores the security risks associated with developer tooling and extensions that have broad access to sensitive credentials and data on developer workstations.

The attackers gained unauthorized access to thousands of internal GitHub repositories, potentially exposing proprietary source code and internal organizational data. This could lead to intellectual property theft and increased risk of further attacks leveraging stolen credentials or code. GitHub prioritized rotating critical secrets to mitigate immediate risks. No public evidence indicates exploitation beyond data exfiltration at this time.

GitHub has rotated critical secrets and is actively investigating and monitoring for follow-on activity. Organizations should ensure strict controls and visibility over developer tooling, especially VS Code extensions, to prevent similar supply chain attacks. Since this is a targeted attack involving internal employee devices, mitigation focuses on securing developer environments and promptly responding to suspicious activity. Patch status is not applicable as this is an operational security incident rather than a software vulnerability. Check GitHub's official communications for updates and further remediation guidance.