On May 20, GitHub posted an update on X regarding its security incident investigation, confirming that an employee’s device was compromised through a VS Code extension that had been implanted with malicious code, resulting in the theft of approximately 3,800 internal repositories. GitHub said there is no evidence that customer information stored outside of GitHub internal code repositories was impacted. GitHub has removed the malicious extension, isolated affected endpoints, and rotated critical credentials.
Security incident details confirmed by GitHub
According to a confirmation in GitHub’s official X post:
Scope of impact: Approximately 3,800 GitHub internal repositories (the attacker’s claimed figure is basically consistent with GitHub’s investigation results)
Root cause: Employee device compromise
Attack vector: A VS Code extension with malicious code implanted (developer supply-chain attack)
Customer impact: GitHub confirmed that the data leak was “strictly limited to data in GitHub internal code repositories,” and found no evidence of impact to customer data, enterprises, organizations, or repositories
Confirmation status of the threat actor
According to disclosure by Dark Web Informer (a threat intelligence organization), a threat actor operating under the alias TeamPCP had already posted product listings on the dark web selling GitHub internal source code and organizational data before the GitHub announcement. H2S Media reported that TeamPCP and the Shai-Hulud worm malware were backed by the same organization, and the malware has recently caused widespread infection in open-source libraries.
Confirmation and response measures taken
According to GitHub’s official statement confirmed:
Completed: Removed the malicious VS Code extension, isolated affected endpoints, and prioritized rotating the most impacted critical credentials (completed on the day and night the incident was discovered)
In progress: Analyzing logs, verifying credential rotation status, monitoring subsequent activity, and conducting a comprehensive incident response investigation
Planned: Publish a full report after the investigation ends; if more widespread impact is found, notify customers through existing incident response channels
Background on GitHub’s recent security incident confirmation
According to the recent timeline confirmed by H2S Media:
Three weeks ago: Wiz researchers disclosed CVE-2026-3854, a severe remote code execution (RCE) vulnerability that allows any authenticated user to execute arbitrary commands on GitHub backend servers via a single git push command
Last week: SailPoint’s GitHub code repository was compromised due to a third-party application vulnerability
May 17, 2026: Grafana Labs confirmed that a GitHub token was leaked; the threat actor obtained repository access and attempted to extort
Frequently asked questions
Did this intrusion affect GitHub’s public repositories or user repositories?
According to GitHub’s official statement, the data leak was “strictly limited to GitHub internal repositories,” and there is currently no evidence that customer data, enterprises, organizations, or repositories were impacted. Customer-facing systems were not affected.
What was the entry point of this attack, and how can it be prevented?
According to GitHub’s confirmation, the attack vector was a VS Code extension with malicious code implanted, which is a developer supply-chain attack. Binance founder CZ advised: “API keys in private repositories should be immediately reviewed and replaced.”
When will GitHub publish the full incident report?
According to GitHub’s official statement, the full report will be released after the investigation concludes, but the specific timing has not been announced yet.
