Malicious VS Code Extension Exposes Thousands of Internal GitHub Repositories
A malicious Visual Studio Code extension reportedly allowed attackers to access thousands of internal GitHub repositories, raising new concerns about the security risks linked to developer tools and third-party extensions.
According to a report by Tom’s Hardware, a hacker group claimed it gained access to approximately 3,800 internal GitHub repositories after a GitHub employee installed a compromised Visual Studio Code extension. The group also claimed it had stolen internal source code and sensitive operational data.
GitHub confirmed that it had contained the incident. The company said the affected extensions were removed and critical secrets were rotated as part of its response. GitHub also said there was no current evidence that public repositories or customer repositories were impacted.
The incident highlights a growing security challenge for software companies and development teams. Visual Studio Code extensions are commonly used by developers to improve productivity, add features, support programming languages, and connect with different tools. However, because these extensions may have access to files, terminals, credentials, and development environments, they can become a serious risk if they are malicious or compromised.
The reported attack is part of a wider trend in software supply-chain threats. Instead of attacking a company directly through traditional methods, threat actors increasingly target trusted tools, packages, plugins, and developer ecosystems. If a developer installs a compromised tool, attackers may gain access to sensitive environments without needing to break through external defenses.
In this case, the attackers reportedly attempted to sell the stolen data for at least $50,000 and threatened to release it publicly if no buyer was found. The report said the group behind the incident has previously been linked to attacks targeting other developer platforms and software ecosystems.
Although GitHub said customer repositories were not affected, the incident shows how a single compromised developer tool can create serious internal security exposure. It also shows why organizations need stronger controls around extensions, plugins, open-source packages, and third-party development tools.
For technology companies, the case is a reminder that developer environments are high-value targets. Source code, internal documentation, secrets, build pipelines, and operational systems can all be exposed if developer devices or tools are compromised.
Security teams are increasingly focusing on software supply-chain security because modern applications depend on many external components. These include extensions, libraries, packages, APIs, cloud services, and automation tools. Each component can introduce risk if it is not reviewed, monitored, and controlled.
The GitHub-related incident also reflects the importance of secret management. When a breach affects development environments, companies often need to rotate credentials, tokens, and keys to reduce the risk of further access. GitHub said it rotated critical secrets as part of its response, which is a common containment step after this type of incident.
The case adds to growing concerns about malicious extensions and software packages being used as entry points into organizations. Developers often install tools quickly to save time or improve workflows, but attackers can exploit this trust by publishing extensions that look useful while hiding malicious behavior.
For now, GitHub says the incident has been contained and that there is no evidence customer repositories were impacted. However, the reported breach is another clear example of how software supply-chain risks are becoming a major cybersecurity issue for modern organizations.