GitHub confirms 3,800 internal repositories breached via poisoned VS Code extension
Attack Overview
GitHub publicly confirmed on May 20, 2026 that its internal source-code repositories were breached after an employee installed a poisoned Visual Studio Code extension. Threat group TeamPCP—tracked by Google Threat Intelligence as UNC6780—has claimed responsibility for the incident.
The Trojanized Extension
The malicious extension impersonated Nx Console (nrwl.angular-console) v18.95.0. It was published to the VS Code Marketplace on May 18, 2026 and removed within approximately 11 minutes. Despite that narrow window, the credential-stealing payload was distributed to machines that synced extensions during that period. The payload was capable of harvesting credentials from 1Password vaults, Anthropic Claude Code configurations, npm, GitHub, and Amazon Web Services (AWS).
Scope of the Breach
GitHub stated that “the activity involved exfiltration of GitHub-internal repositories only” and that the attacker’s claim of approximately 3,800 repositories is “directionally consistent” with its investigation so far. External public repositories and customer data are not believed to be involved. TeamPCP is reportedly seeking at least USD $50,000 on underground forums for the stolen material.
TeamPCP’s Track Record
TeamPCP specializes in supply chain attacks targeting open-source security utilities and AI middleware. The group has previously compromised Aqua’s Trivy security scanner, CheckMarx’s KICS, the LiteLLM library, the Telnyx SDK, TanStack, MistralAI, and other packages.
What Developers Should Do
This incident highlights ongoing weaknesses in VS Code Marketplace vetting. Security professionals recommend verifying publisher identity, review count, and publication date before installing any extension, and immediately rotating API keys and tokens if a suspicious extension was recently installed.
Source: BleepingComputer, The Hacker News
Related Articles
A public issue carrying hostile instructions became the evidence HN needed for a sharper debate about agent permissions.
The Megalodon campaign pushed 5,718 malicious commits into 5,561 GitHub repositories in roughly six hours. The target was not just application code, but GitHub Actions workflows that can expose cloud credentials, CI secrets, and deployment tokens.
Security alerts are moving from volume to trust. GitHub says LLM-based contextual verification reduced secret-scanning false positives by 75.76%, beating its 65% target.