GitHub Employee's Malicious VS Code Extension Leads to Data Breach
L'essentiel
- GitHub confirmed a data breach affecting ~3,800 internal code repositories, caused by a malicious VS Code extension installed by an employee.
- A hacker group, TeamPCP, claimed responsibility, seeking $50,000 for the data.
Résumé généré par IA
Pourquoi c'est important
GitHub confirmed a data breach where a hacker group stole approximately 3,800 internal code repositories. The breach occurred after an employee installed a malicious Visual Studio Code extension, which was designed to exfiltrate data. GitHub stated that only internal repositories were affected and no customer data outside these repos was impacted.
GitHub confirmed Tuesday that a hacker group stole roughly 3,800 internal code repositories after one of its employees unknowingly installed a malicious Visual Studio Code extension.
VS Code extensions are plugins downloaded through Microsoft’s official marketplace that add features to the code editor. In this case, the extension was designed to exfiltrate data in the background.
“Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension,” the company said in a post on X. “We removed the malicious extension version, isolated the endpoint, and began incident response immediately.”
The Microsoft-owned GitHub is one of the largest software development platforms online, used by more than 180 million developers across over 4 million organizations, including 90% of the Fortune 100.
“Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only,” GithHub wrote. “The attacker’s current claims of ~3,800 repositories are directionally consistent with our investigation so far.”
According to GitHub, the breach affected only internal repositories, and no customer data stored outside those repos was impacted.
"We have no evidence of impact to customer information stored outside of GitHub's internal repositories, such as our customer's own enterprises, organizations, and repositories,” a GitHub spokesperson told Decrypt. “Some of GitHub's internal repositories contain information from customers, for example, excerpts of support interactions. If any impact is discovered, we will notify customers via established incident response and notification channels."
The company said it rotated critical credentials overnight, prioritizing the highest-risk secrets first, and is continuing to monitor for additional activity.
According to cybersecurity X account Dark Web Informer, TeamPCP claimed responsibility for the breach on Breached, a black-hat cybercrime forum. The group allegedly said it possessed around 4,000 private repositories and was seeking at least $50,000 for the data, with samples available to verified buyers.
“This remains an unverified underground forum claim,” Dark Web Informer wrote. “The actor states this is not a ransom attempt and claims the data may be leaked publicly if no buyer is found.”
Questions ouvertes
- What specific types of information were contained within the exfiltrated internal repositories?
- What is the exact timeline of the malicious extension's activity?
- What measures will GitHub implement to prevent similar breaches in the future?
- Has TeamPCP provided verifiable proof of the stolen data?
