GitHub Breach via Compromised VS Code Extension

On May 18, GitHub detected unauthorized access to its internal repositories stemming from a compromised third-party Visual Studio Code extension. The malicious version was promptly removed, the affected employee device isolated, and critical secrets rotated. Attackers claimed to have accessed approximately 3,800 repositories, but GitHub's investigation confirmed exfiltration only from internal repositories, with no customer data compromised. Some internal repos contained excerpts of customer support interactions; affected customers will be notified if any impact is found.

GitHub's security team discovered the intrusion after a poisoned VS Code extension was installed on an employee machine, providing a backdoor to internal systems. The extension has since been scrubbed from GitHub's environment, and the company rotated all secrets that could have been exposed. The incident did not breach production environments or customer-facing data, though the attackers may have accessed internal documentation and snippets from support tickets.

The breach underscores the growing threat of supply-chain attacks targeting developer tooling. While GitHub mitigated the incident swiftly, the compromise of its own repositories—even without customer data loss—raises questions about third-party extension vetting. GitHub has pledged to notify any customer whose data may have been indirectly exposed through the exfiltrated support interaction excerpts.