GitHub Investigates Alleged Theft of Code From About 4,000 Private Repositories
GitHub says a poisoned Visual Studio Code extension on an employee device led to unauthorized access to about 3,800 internal repositories, highlighting broader software supply-chain risk for projects that depend on its development infrastructure.
GitHub said it detected and contained unauthorized access to its internal repositories on May 19 after a malicious Visual Studio Code extension on a compromised employee device enabled the breach. The company said the activity involved exfiltration of GitHub-internal repositories, with findings consistent with an attacker claim of access to roughly 3,800 repositories, while earlier reporting and attacker claims referred to about 4,000. GitHub said it has not found evidence that user repositories, enterprise accounts, or other customer data stored outside those internal systems were impacted. The incident has been attributed to TeamPCP, which Google Threat Intelligence Group identified as UNC6780, and it has intensified concerns about software supply-chain risk because many projects, including wallets, exchanges, blockchain applications, and smart contract developers, rely on GitHub-hosted development tools and shared infrastructure. GitHub said it removed the malicious extension version, isolated the endpoint, and rotated important secrets, while Changpeng Zhao urged developers to rotate any API keys in code.
- Software supply chain: The network of code, tools, libraries, and platforms used to build software. A breach can spread risk across many dependent projects.
- API keys: Secret credentials used by applications to access services or data. If exposed in code or repositories, they can allow unauthorized actions or account access.
- Visual Studio Code extension: An add-on for the VS Code development environment. A malicious or poisoned extension can become a supply chain attack vector into developer systems.