Contact Us

Blog

Rss Feed

Home  ›  Blog  ›  GitHub's 3,800 Repositories Stolen: The Poisoned VS Code Extension That Shook the Software Supply Chain

GitHub's 3,800 Repositories Stolen: The Poisoned VS Code Extension That Shook the Software Supply Chain

Published May 28th, 2026 by Bayonseo

General

After hackers gained access to an employee's device using a malicious Visual Studio Code plugin, GitHub, the biggest code hosting platform in the world, announced a significant data breach. About 3,800 internal repositories including source code and internal organization data connected to GitHub's primary platform, were allegedly exfiltrated by the threat actor group TeamPCP; GitHub asserts this number is "directionally consistent" with its own investigation. A hacker community is currently offering the stolen data for sale, with a starting price of $50,000.

The hack reveals a risky reality about the contemporary software supply chain, notwithstanding GitHub's claim that client repositories are unaffected. The newest and most potent attack vectors for skilled cybercriminals are the very technologies that developers rely on the most.


How One Extension Unlocked GitHub's Crown Jewels

Instead of a sophisticated phishing campaign or a zero-day exploit, the attack started with a poisoned VS Code plugin that was sold on the official marketplace. Because VS Code extensions operate with full user privileges on a developer's workstation, the installation of the malicious extension by a GitHub employee turned into a privilege escalation.

After installation, the extension provided attackers with access to all of the environment's secrets, cloud keys, SSH keys, and credentials. Before the breach was discovered on May 19, 2026, TeamPCP advanced laterally into GitHub's core infrastructure from that one compromised endpoint, copying thousands of repositories.


Why This Matters Even Without Customer Data Exposure

The consequences are severe, notwithstanding GitHub's emphasis that customer repositories were not viewed. With code and infrastructure utilized by millions of developers and businesses worldwide, GitHub is at the heart of the global software supply chain.

Internal repositories that are exposed could show:

  • The internal APIs and operational tools that drive GitHub's platform
  • Workflows for authentication and infrastructure setups that might be used in subsequent attacks
  • Attackers can learn about GitHub's defenses through code patterns and security measures.

In a post, TeamPCT stated clearly: "We don't care about extorting GitHub, one buyer, and we shred the data on our end." Since it appears that we will shortly be retiring, we will leak it for free if no buyer is found.


TeamPCP: A Specialized Supply Chain Threat

TeamPCP is not your typical cybercrime group. Building its operations around automation and the exploitation of known vulnerabilities and cloud misconfigurations, this cloud-focused operation first surfaced as a large-scale exploitation platform in late 2025. In recent months, the gang has carried out at least 20 waves of supply-chain hacks, compromising hundreds of businesses and Trojanizing over 500 pieces of software.

Beyond GitHub, TeamPCP has previously hit the repositories behind Trivy, Checkmarx, LiteLLM, and BerriAI. The same week as the GitHub breach, the group compromised Microsoft's durabletask Python SDK on PyPI, demonstrating a coordinated, platform-agnostic attack campaign.


How to Protect Your Development Environment

The GitHub hack serves as a warning to businesses and developers. Nowadays, VS Code extensions pose a serious supply chain risk that the majority of security teams have not yet managed.

Quick steps you can take:

  • Examine all of your development team's installed extensions. Eliminate any that are superfluous or originate from unreliable publishers.
  • Use VS Code's enterprise administration features to enforce extension allow-listing. Extensions should be handled just like any other third-party program.
  • When possible, run extensions in isolated contexts to restrict access to sensitive systems and credentials.
  • Keep an eye out for dubious upgrades to your dependable extensions on the official VS Code marketplace.
  • Credentials should be routinely rotated, particularly for systems that can be accessed from developer workstations.


How Bayon Technologies Group Can Help

We at Bayon Technologies Group assist businesses in protecting their development pipelines from supply chain intrusions of this nature. Our all-inclusive services consist of:

  • Software Supply Chain Audits: We look for vulnerabilities, configuration errors, and hidden dangers throughout the whole development toolchain, including IDE extensions.
  • Third-Party Risk Management: We assist you in assessing and keeping an eye on the security posture of each tool and extension that your developers utilize.
  • Zero-Trust for Development Environments: To make sure that a single compromised endpoint does not result in a disastrous breach, we employ least-privilege access rules, credential hygiene, and ongoing monitoring.
  • Security Awareness for Developers: We teach your engineering teams how to identify and steer clear of supply chain risks, such as malicious extensions that pose as trustworthy tools.

The attacker gained access to the largest code repository in the world by using only a developer's trusted tool. Prevent your company from being the next casualty. To safeguard your software supply chain from endpoint to cloud, get in touch with us today!

‹ Back

Serving South Florida businesses: Florida City, Miami, Coral Gables, Doral, Hollywood, Fort Lauderdale, Sunrise, Boca Raton