GitHub is actively investigating a security incident involving unauthorized access to its internal code repositories, the company announced earlier today. Security researchers are already tracking dark web claims that a threat actor is attempting to sell data allegedly stolen from roughly 4,000 of the platform’s private repositories.

The company disclosed the breach in a brief statement on X, noting that it found no immediate evidence of an impact on customer information stored outside its internal systems. “We are closely monitoring our infrastructure for follow-on activity,” the company said, adding that it will notify users directly if any broader impact comes to light.

Shortly before the announcement, a cyber threat intelligence account known as Dark Web Informer pointed to a dark web listing by a threat actor using the alias TeamPCP.

The actor claims to have lifted a massive chunk of GitHub’s internal source code and organization data, putting a price tag on the stolen assets.

dark-web-informer-github-source-code-sale-post

The current situation is already being discussed on platforms like X and Reddit.

A big discussion on r/cybersecurity has people speculating that these breaches are increasing in frequency due to “AI Slop” coding, though, it isn’t exactly clear if this has anything to do with the incident.

One commenter noted that the first half of the year has truly not been kind to GitHub, while others questioned how the attackers found a large enough exploit window to slip through the company’s defenses.

In a follow-up statement on X, GitHub confirmed that the attacker’s claims are “directionally consistent” with their internal investigation, noting that the exfiltration was strictly limited to GitHub-internal repositories and involved roughly 3,800 repositories.

Providing much-needed technical clarity, GitHub revealed the root cause was a compromised employee device. The intrusion occurred via a poisoned VS Code extension, highlighting a growing trend of threat actors targeting developer supply chains rather than targeting platform infrastructure head-on.

According to the company, the malicious extension version has been removed, and the affected endpoint has been isolated. To mitigate follow-on risks, GitHub spent the night rotating critical secrets, prioritizing the highest-impact credentials first.

The platform maintains that there is still no evidence of any impact on customer data or external systems, and plans to release a full report once the incident response concludes.

This breach follows a string of recent platform headaches. Just a few weeks ago, a severe remote code execution vulnerability put millions of private repositories at risk. That history makes this latest internal intrusion look pretty bad for a platform that serves as the backbone for global software development.

We’ll be keeping an eye out for further developments and will update this article accordingly.

Update 10:08 am (IST): The article was updated to add GitHub’s follow-up thread on the situation.

The post GitHub confirms malicious VS Code extension exposed internal code repositories appeared first on PiunikaWeb.