GitHub has confirmed a cyberattack involving unauthorized access to some of its internal repositories after a threat actor claimed it had stolen and was attempting to sell company data online. In a series of posts shared on X (formerly Twitter), the Microsoft-owned subsidiary said it has “detected and contained a compromise of an employee device involving a poisoned VS Code extension.” Github further said the malicious extension was removed, the affected endpoint was isolated and incident response measures were launched immediately. The platform also stated that its “current assessment is that the activity involved exfiltration of GitHub-internal repositories only,” while saying the attacker’s claims of accessing around 3,800 repositories are “directionally consistent” with the company’s investigation so far.The company said it has already rotated critical secrets and prioritised “highest-impact credentials” to reduce risk. GitHub also said it continues to analyse logs and monitor systems for additional suspicious activity.
Threat actor claims GitHub source code being sold
The incident became public after a threat actor known as TeamPCP allegedly listed GitHub source code and internal organisations for sale on a cybercrime forum. According to a report by The Hacker News, the group claimed to possess data from nearly 4,000 repositories and said the asking price was at least $50,000. Screenshots shared online reportedly showed the attackers saying: “We do not care about extorting GitHub.”“As always, this is not a ransom,” the group said in a post, according to screenshots shared by Dark Web Informer. “We do not care about extorting GitHub, 1 buyer and we shred the data on our end, it looks like our retirement is soon so if no buyer is found, we leak it for free.”The same threat group has also reportedly been linked to recent attacks involving malicious Python packages.
Attack linked to poisoned VS Code extension
GitHub has revealed that the breach was connected to a poisoned Microsoft Visual Studio Code extension installed on an employee device. “We removed the malicious extension version, isolated the endpoint, and began incident response immediately,” the company said.“We continue to analyze logs, validate secret rotation, and monitor for any follow-on activity. We will take additional action as the investigation warrants. We will publish a fuller report once the investigation is complete,” Github said in the post.
