GitHub confirmed Tuesday that a hacker group stole roughly 3,800 internal code repositories after one of its employees unknowingly installed a malicious Visual Studio Code extension.
VS Code extensions are plugins downloaded through Microsoft’s official marketplace that add features to the code editor. In this case, the extension was designed to exfiltrate data in the background.
The Microsoft-owned GitHub is one of the largest software development platforms online, used by more than 180 million developers across over 4 million organizations, including 90% of the Fortune 100.
“Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only,” GithHub wrote. “The attacker’s current claims of ~3,800 repositories are directionally consistent with our investigation so far.”
According to GitHub, the breach affected only internal repositories, and no customer data stored outside those repos was impacted.
"We have no evidence of impact to customer information stored outside of GitHub's internal repositories, such as our customer's own enterprises, organizations, and repositories,” a GitHub spokesperson told Decrypt. “Some of GitHub's internal repositories contain information from customers, for example, excerpts of support interactions. If any impact is discovered, we will notify customers via established incident response and notification channels."
The company said it rotated critical credentials overnight, prioritizing the highest-risk secrets first, and is continuing to monitor for additional activity.
“This remains an unverified underground forum claim,” Dark Web Informer wrote. “The actor states this is not a ransom attempt and claims the data may be leaked publicly if no buyer is found.”
