GitHub, the industry-standard platform for hosting and sharing source code, has fallen victim to a targeted cyberattack. The Microsoft-owned service confirmed on Tuesday that its internal repositories were subject to unauthorized access. While the breach is significant, GitHub noted that customer information outside of their own internal environment does not appear to have been exposed.
"Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only," GitHub stated in a recent post on X. The company added that while they are still investigating, the attacker’s claims regarding the theft of approximately 3,800 repositories are "directionally consistent" with their internal findings.
How the GitHub security breach occurred
The investigation reveals that the entry point for the attack was a compromised employee device. Specifically, the breach was facilitated by a poisoned Visual Studio Code extension. By targeting a tool used daily by developers, the attackers were able to bypass traditional defenses and gain a foothold within the company's infrastructure.
While GitHub has not publicly named the specific malicious extension or the identity of the attacker, they have taken immediate steps to mitigate the damage:
- Removed the malicious version of the extension.
- Isolated the affected endpoint to prevent further lateral movement.
- Initiated a comprehensive incident response protocol.
The rising threat of malicious developer tools
This incident highlights a growing trend in cybercrime where attackers target the software supply chain. Using backdoors within widely used plugins is becoming a preferred method for high-level breaches. Recent examples include:
- A single bad actor compromising 31 WordPress plugins to plant backdoors.
- Security researchers identifying spyware or infostealers in 35 Chrome extensions with over 4 million installs.
- The hijacking of popular IDE extensions to target high-value engineering environments.
To secure the platform, GitHub has already rotated its highest-impact credentials and maintains a constant vigil for further unauthorized access. A full report regarding the security incident is expected to be released in the near future.
TeamPCP claims responsibility for the data theft
According to reports from Bleeping Computer, the hacker group TeamPCP has claimed responsibility for the attack via the Breached cybercrime forum. The group alleges they have gained access not only to GitHub's source code but also to over 4,000 repositories of private code.
Interestingly, TeamPCP claims their motivation is not traditional extortion. Unlike typical ransomware attacks, the group stated they are not looking for a ransom from GitHub itself, but rather looking to sell the stolen data to the highest bidder.
"One buyer and we shred the data on our end," the group wrote in their announcement. "It looks like our retirement is soon, so if no buyer is found we will leak it [for] free." The group has set a minimum asking price of $50,000 for the stolen repositories.
