GitHub (@github): "1/ We are sharing additional details regarding our investigation into unauthorized access to GitHub's internal repositories.

Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately." | XCancel

GitHub

@github

3h

1/ We are sharing additional details regarding our investigation into unauthorized access to GitHub's internal repositories.

Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately.

May 20, 2026 · 4:04 AM UTC

251

1,489

4,467

1,025,224

GitHub

@github

3h

2/ Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only. The attacker’s current claims of ~3,800 repositories are directionally consistent with our investigation so far.

11

84

622

133,786

GitHub

@github

3h

3/ We moved quickly to reduce risk. Critical secrets were rotated yesterday and overnight with the highest-impact credentials prioritized first.

48

514

105,343

GitHub

@github

3h

4/ We continue to analyze logs, validate secret rotation, and monitor for any follow-on activity. We will take additional action as the investigation warrants.

47

431

115,854

GitHub

@github

3h

5/ We will publish a fuller report once the investigation is complete.

11

47

511

108,642

Nyx 夜。

@KL_MAMBA

1h

Replying to @github

@grok<br>What does this mean for customers 🤔

16,239

YildiriM@yildirimayhn

59s

Replying to @github

So you guys are saying There are compromised extensions in the VS Code LIBRARY; actually, many businesses may have been affected by this until now; and Github is just one of them

61

MakeForIndia.com

@MakeForBharat

2h

Replying to @github

Extension name, please? Why the delay in sharing it?

10

28,873

Darren

@CorboDT

1h

Replying to @github

Just to be clear:

Microsoft’s GitHub was compromised when a Microsoft developer using Microsoft VSCode installed a rogue extension from Microsoft’s VSCode extension library, which is moderated and hosted by Microsoft.

I guess I’ll be reevaluating my life choices.

17

213

16,561

Chandru TG✨

@chandru_tg

2h

Replying to @github

Quick question from a small business owner perspective:<br>I have a live business website built entirely in VS Code and deployed directly from a GitHub repository (using GitHub Pages + custom domain).<br>How does this latest change affect existing live sites like mine? Will there be any impact on deployment workflow, build process, or live performance?<br>Would love a clear explanation — many small businesses and indie developers rely heavily on this exact VS Code + GitHub workflow.

17,801

Opa&Owl

@opa_owl

40m

Replying to @github

we just want to know if GitHub will report to each account affected and make the damage control or even repair any real harm that caused to any of the accounts affected. Not long ago, OpenAI happened the same thing, they provide the transparency, but when it comes to repair and individually evaluating the damage, they ran away. That will be the future...enterprises with competitive advantage will not be those who offer personalized services, but those who are mature enough to provide personalized recover from the financial downturn of the client. Cybersecurity: time to rethink the policies.

4,728

Kfir Gollan

@kfirgollan

2h

Replying to @github

@grok are there vendors other than koi (now part of PaloAlto) that can prevent this?

13,862

goc

@getorcreate

1h

Replying to @github

What was the VS Code Extension? Help people out.

7,439

iShowCybersecurity

@ishowcybersec

1h

Replying to @github

94

10,914

Vaibhav

@0xbhv

6m

Replying to @github

857

Nitin Bisht

@nitinbisht96

1h

Replying to @github

GitHub got hit through a VS Code extension.

That's the threat model in 2026.

7,032

Sayooj

@sayoojkeloth

1h

Replying to @github

so the most secure repos in the world got taken down by a vs code extension

4,090

JustKen_Gaming

@ikennethmanuel

2h

Replying to @github

ALT Ah Shit Here We Go Again GIF

7,323

kmcodes@kmcodes_dev

35m

Replying to @github

Malicious VS Code extension compromised a GitHub employee device.

These extensions run with full access, they can read cloned internal repos and quietly exfiltrate code.

Tip: before installing, verify publisher, read recent reviews, and review permissions.

2,739

ChainEpic

@ChainEpic

2h

Replying to @github

Interesting. Are you planning to share the specific extension name or any indicators of compromise publicly? That could help the rest of us audit our own setups.

8,324

jingbo

@j1ngb0

3h

Replying to @github

25

544

49,875

casualnpc@acasualnpc

2h

Replying to @github

Please tell the extension name, this could be a massive compromise to open source...