GitHub confirms breach via malicious VS Code extension

GitHub confirmed attackers accessed approximately 3,800 internal repositories after compromising an employee device through a malicious Visual Studio Code extension [source: @appinventiv4ai]. The breach occurred when an employee installed the compromised extension, giving attackers a foothold into GitHub's internal systems. The company says the extension was distributed outside official channels and did not affect the VS Code marketplace.

No evidence shows customer repositories, authentication secrets, or enterprise data were accessed, GitHub stated. The company has since revoked the extension’s credentials, reset employee access tokens, and launched a full forensic review. The incident highlights risks in developer toolchains, especially when third-party tools bypass centralized security controls.

The breach underscores how supply-chain attacks increasingly target trusted development environments. VS Code, used by over 15 million developers, is a high-value vector. While GitHub’s public and customer-facing services remain secure, internal tools and repositories were exposed, including source code and internal documentation.

Developers should audit extensions installed in their environments, particularly those with broad permissions or from unverified publishers. GitHub recommends enabling two-factor authentication and limiting third-party tool access—a practice many organizations overlook despite repeated warnings [source: @appinventiv4ai].