Hackers Used a VS Code Extension to Reach GitHub’s Internal Repositories. The Pattern Should Worry Developers. - Firethering
back to top
Home
Softwares
AI Tools
DevTools
3D Tools
Design Tools
Image Editors
Video Editors
Productivity
Utilities
Apps
Android Apps
iOS Apps
Games
Windows Games
macOS Games
Android Games
iOS Games
Tech
Picks
AI Picks
AI Models
Trends
Search
Wednesday, May 20, 2026
Home
Softwares
AI Tools
DevTools
3D Tools
Design Tools
Image Editors
Video Editors
Productivity
Utilities
Apps
Android Apps
iOS Apps
Games
Windows Games
macOS Games
Android Games
iOS Games
Tech
Picks
AI Picks
AI Models
Trends
Facebook<br>Instagram<br>Twitter<br>Vimeo<br>Youtube
Home
Softwares
AI Tools
DevTools
3D Tools
Design Tools
Image Editors
Video Editors
Productivity
Utilities
Apps
Android Apps
iOS Apps
Games
Windows Games
macOS Games
Android Games
iOS Games
Tech
Picks
AI Picks
AI Models
Trends
Search
HomeTechHackers Used a VS Code Extension to Reach GitHub’s Internal Repositories. The...
Hackers Used a VS Code Extension to Reach GitHub’s Internal Repositories. The Pattern Should Worry Developers.
By Mohit Geryani
May 20, 2026
Last updated: May 20, 2026
Share
- Advertisement -
GitHub says hackers reached thousands of internal repositories after compromising an employee device through a malicious VS Code extension.
We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely…<br>— GitHub (@github) May 19, 2026
That detail matters more than the breach itself because this keeps happening now. OpenAI got hit through a poisoned developer dependency earlier this year. The European Commission got compromised through a similar supply chain route. Attackers are increasingly targeting the tools developers trust instead of trying to break company infrastructure directly.
And honestly, it makes sense. A developer machine already has access to everything attackers want. This GitHub incident is another reminder that the weakest point in modern software security might not be the company. It might be the extensions, packages, and tools sitting inside a developer’s editor.
Table of Contents
What Happened?
GitHub says the breach started with a compromised VS Code extension installed on an employee device. From there, attackers were able to move into GitHub’s internal environment and access roughly 3,800 repositories.
So far, the company says there’s no evidence that customer repositories or production systems were affected. The stolen data reportedly came from internal repositories tied to engineering, infrastructure, and internal tooling.
The group behind the attack is believed to be TeamPCP, a threat actor that has been linked to several recent supply chain attacks targeting developers and enterprise tooling. GitHub says the attackers later attempted extortion after stealing the data.
What still isn’t clear is which VS Code extension was involved, how long it stayed compromised, or whether other developer machines were affected before the intrusion was discovered.
That uncertainty is part of the problem with attacks like this. A malicious extension does not look dramatic when it lands on a machine. It looks like another productivity tool. By the time anyone notices, the attacker is usually already somewhere they should not be.
The attack pattern that keeps working
Instead of hammering away at hardened infrastructure, attackers are going after the software developers install voluntarily. VS Code extensions. npm packages. GitHub Actions. CI utilities. The trust relationship is already there, which makes the job easier.
That’s basically what happened in the tj-actions incident that affected OpenAI and a long list of other companies earlier this year. Attackers compromised a widely used GitHub Action, injected malicious code, and suddenly secrets from CI pipelines started leaking across multiple organizations. The European Commission was reportedly hit through a similar supply chain route tied to developer tooling.
Now GitHub joins that list.
And the logic behind these attacks is hard to ignore. Developers sit close to the center of modern infrastructure. Their machines often have access to repositories, deployment systems, internal dashboards, cloud credentials, and collaboration tools all at once. Compromising one trusted developer environment can be more useful than attacking a company’s public facing systems directly.
The scary part is that most of these tools do not feel risky when you install them. A VS Code extension feels harmless right up until it isn’t.
Why developer tools became the perfect target
Most companies spent years hardening their external infrastructure. Multi factor...