back to top
HomeTechHackers Used a VS Code Extension to Reach GitHub’s Internal Repositories. The...

Hackers Used a VS Code Extension to Reach GitHub’s Internal Repositories. The Pattern Should Worry Developers.

- Advertisement -

GitHub says hackers reached thousands of internal repositories after compromising an employee device through a malicious VS Code extension.

That detail matters more than the breach itself because this keeps happening now. OpenAI got hit through a poisoned developer dependency earlier this year. The European Commission got compromised through a similar supply chain route. Attackers are increasingly targeting the tools developers trust instead of trying to break company infrastructure directly.

And honestly, it makes sense. A developer machine already has access to everything attackers want. This GitHub incident is another reminder that the weakest point in modern software security might not be the company. It might be the extensions, packages, and tools sitting inside a developer’s editor.

What Happened?

GitHub says the breach started with a compromised VS Code extension installed on an employee device. From there, attackers were able to move into GitHub’s internal environment and access roughly 3,800 repositories.

So far, the company says there’s no evidence that customer repositories or production systems were affected. The stolen data reportedly came from internal repositories tied to engineering, infrastructure, and internal tooling.

The group behind the attack is believed to be TeamPCP, a threat actor that has been linked to several recent supply chain attacks targeting developers and enterprise tooling. GitHub says the attackers later attempted extortion after stealing the data.

What still isn’t clear is which VS Code extension was involved, how long it stayed compromised, or whether other developer machines were affected before the intrusion was discovered.

That uncertainty is part of the problem with attacks like this. A malicious extension does not look dramatic when it lands on a machine. It looks like another productivity tool. By the time anyone notices, the attacker is usually already somewhere they should not be.

The attack pattern that keeps working

Instead of hammering away at hardened infrastructure, attackers are going after the software developers install voluntarily. VS Code extensions. npm packages. GitHub Actions. CI utilities. The trust relationship is already there, which makes the job easier.

That’s basically what happened in the tj-actions incident that affected OpenAI and a long list of other companies earlier this year. Attackers compromised a widely used GitHub Action, injected malicious code, and suddenly secrets from CI pipelines started leaking across multiple organizations. The European Commission was reportedly hit through a similar supply chain route tied to developer tooling.

Now GitHub joins that list.

And the logic behind these attacks is hard to ignore. Developers sit close to the center of modern infrastructure. Their machines often have access to repositories, deployment systems, internal dashboards, cloud credentials, and collaboration tools all at once. Compromising one trusted developer environment can be more useful than attacking a company’s public facing systems directly.

The scary part is that most of these tools do not feel risky when you install them. A VS Code extension feels harmless right up until it isn’t.

Why developer tools became the perfect target

Most companies spent years hardening their external infrastructure. Multi factor authentication, zero trust policies, endpoint monitoring, locked down production environments. Breaking in directly got harder.

So attackers adjusted. Developer tooling is now one of the softer entry points because it sits inside trusted workflows. Engineers install extensions to move faster, test packages from the community, connect third party integrations, and automate repetitive work. That culture is part of why modern software moves quickly. It is also why supply chain attacks spread so effectively once something malicious slips through.

A poisoned VS Code extension does not need to exploit some movie-style vulnerability. If a developer installs it and grants permissions, the extension is already operating inside a trusted environment. From there, stealing tokens, session data, credentials, or repository access becomes much more realistic.

And unlike phishing emails, these attacks blend into normal engineering work. Nobody panics when a teammate recommends a useful extension or a trending package starts getting adopted across GitHub. That normality is what makes the attack surface so difficult to defend.

What’s still unknown

GitHub confirmed the breach, but a lot of details are still missing.

The company has not publicly identified the VS Code extension involved, how the employee device was compromised, or how long the attackers had access before they were detected. We also do not know what was inside all 3,800 repositories that were accessed, beyond GitHub saying customer repositories and production systems were not affected.

That distinction matters, but internal repositories can still contain sensitive information. Infrastructure documentation, internal tooling, security workflows, experimental features, employee data, all of that tends to live in places developers assume are relatively safe.

There is also the bigger question hanging over all of this: how many similar compromises simply never get noticed?

Because supply chain attacks are becoming less noisy and more patient. The goal is not always immediate destruction. Sometimes it is quiet access sitting inside a trusted tool for weeks before anyone realizes something is wrong.

And honestly, that is probably the part developers should pay attention to most. Not that GitHub got breached, but how ordinary the entry point looked before everything went sideways.

Don’t miss any Tech Story

Subscribe To Firethering NewsLetter

You Can Unsubscribe Anytime! Read more in our privacy policy

LEAVE A REPLY

Please enter your comment!
Please enter your name here

YOU MAY ALSO LIKE
Leanstral AI

Leanstral 1.5: Mistral’s AI Built to Prove Math Ended Up Finding Real Software Bugs

0
Mistral built Leanstral to do something most AI models don't attempt, write formal mathematical proofs that a compiler can verify as correct. Not "pretty sure this is right" correct. Mechanically, provably, no-exceptions correct. That's a narrow use case, and the audience for it is small. What nobody expected was that a model trained on IMO-level math problems and abstract algebra benchmarks would end up running against open-source codebases and finding bugs that testing and fuzzing had both missed. Five of them previously unreported on GitHub.
Open Source AI Coding Agents That Don't Need a Subscription

7 Open Source AI Coding Agents That Don’t Need a Subscription

0
Open almost any "best AI coding tools" list and you'll see the same names: Cursor, GitHub Copilot, Claude Code. They're good tools but they're also closed source and paid. What's changed over the past year isn't the quality of those products, it's how quickly the open-source alternatives have caught up. Some can orchestrate multiple agents, remember your projects across sessions, and automate complex development workflows. Many let you bring your own model, whether that's a local LLM, OpenRouter, OpenAI, GLM-5.2, Ornith, DeepSeek, or something else entirely. More importantly, you're in control. You decide where your code runs, which model powers it, and how your workflow evolves without being locked into a single company's ecosystem. If you've only looked at the paid options, these are the open-source AI coding tools worth knowing about.
Ornith Coding model that beats Claude opus 4.7

Ornith 1.0: The New Open-Source AI Model for Agentic Coding

0
Most reinforcement learning setups for coding models work the same way. Researchers build a harness, a fixed scaffold that tells the model how to approach a category of task, then the model gets rewarded for solving problems inside that structure. The harness stays fixed. Only the model's answers change. Ornith-1.0, a new open-source coding model family from DeepReinforce is not just about coding, Instead the model writes its own scaffold. At every training step, it looks at the task in front of it and the scaffold it used last time, then proposes a better version of that scaffold before even attempting an answer. The reward doesn't just grade the solution. It grades the scaffold that produced it. That's a small architectural choice with a strange consequence. A model that gets to design its own training process can, in theory, design one that cheats the verifier instead of solving the actual problem, and DeepReinforce is upfront that this happened during training. The fix they built for it is also worth understanding before getting to the benchmark numbers.