GitHub is investigating a significant security incident after attackers allegedly gained access to internal systems and exfiltrated thousands of private repositories following a compromise of an employee device. The incident has raised renewed concerns over supply chain security and the growing use of developer tools as attack vectors.
The company, which is owned by Microsoft, confirmed that its internal investigation is ongoing after a threat actor reportedly offered stolen source code for sale on underground cybercrime forums.
Attack Linked to Employee Device Compromise via Malicious Extension
According to GitHub’s preliminary findings, the intrusion stemmed from a compromised employee workstation infected through a malicious Visual Studio Code extension. The compromised device reportedly allowed attackers to access internal authentication material and sensitive development resources.
GitHub stated that it has rotated critical security credentials and is actively reviewing its infrastructure for any potential lateral movement or follow-on activity.
Thousands of Internal Repositories Allegedly Accessed
Security researchers and threat intelligence reports indicate that more than 3,800 internal repositories may have been accessed during the breach. The stolen data allegedly includes a wide range of internal projects, including infrastructure tools, development workflows, and security-related systems.
While GitHub has not confirmed the full scope of exposed data, the company noted that the attacker’s claims are “directionally consistent” with its ongoing investigation.
Threat Actor Attempted to Sell Stolen Source Code
The breach was attributed to a cybercriminal group known as TeamPCP, which is reportedly linked to previous software supply chain attacks targeting open-source ecosystems.
The group allegedly listed GitHub’s internal source code for sale on a cybercrime forum, claiming possession of thousands of repositories. The data was reportedly offered at tens of thousands of dollars, with additional claims suggesting the intent was not extortion but a direct resale operation.
Possible Connection to Broader Supply Chain Attacks
Investigators are also examining links between this incident and a broader campaign involving compromised developer tools and malicious software packages. In parallel activity, threat actors have been observed targeting package ecosystems such as Python’s PyPI and distributing infostealers through infected dependencies.
These attacks often rely on stolen tokens and credentials from developer environments, allowing attackers to pivot into cloud systems and continuous integration pipelines.
Supply Chain Risk Through Developer Tools
Security researchers warn that the incident highlights the increasing risk posed by malicious extensions and compromised developer tooling. Once installed on a developer’s machine, these tools can provide attackers with access to authentication tokens, cloud credentials, and source code repositories.
In this case, the malicious extension is believed to have enabled access to internal systems without triggering immediate detection, allowing attackers to quietly extract sensitive data.
Industry Response and Ongoing Investigation
GitHub has not confirmed whether customer-facing repositories or external enterprise systems were impacted. The company stated that it is actively monitoring for any signs of downstream exposure and will notify affected customers if necessary.
Security teams are continuing to analyze logs, revoke compromised credentials, and assess the full scope of the intrusion.
Growing Concern Over Software Supply Chain Attacks
The incident underscores a broader trend in cybercrime: targeting developer ecosystems to gain indirect access to high-value infrastructure. By compromising internal tools and repositories, attackers can potentially reach downstream systems, cloud environments, and production pipelines.
As investigations continue, cybersecurity experts warn that organizations must strengthen endpoint security for developers and closely monitor third-party extensions used within software development environments.
