Microsoft’s GitHub confirms cyberattack involving unauthorised access of nearly 3,800 repositories

Microsoft’s GitHub has confirmed a cyberattack involving unauthorised access to some of its internal repositories after a threat actor claimed it had stolen and was attempting to sell company data online.

In a series of posts, GitHub said it had “detected and contained a compromise of an employee device involving a poisoned VS Code extension,” on Tuesday.

GitHub said the malicious extension was removed, the affected endpoint isolated, and incident response measures launched immediately after the breach was discovered.

The proprietary developer platform said its current assessment is that the activity involved exfiltration of internal repositories. GitHub further stated that the attacker’s claims of accessing nearly 3,800 repositories are directionally consistent with its investigation so far.

The incident surfaced publicly after a threat actor identified as TeamPCP allegedly listed GitHub source code and internal organisations for sale on a cybercrime forum, according to a Times of India report. The same threat group has also reportedly been linked to recent attacks involving malicious Python packages.

GitHub said it continues to investigate the breach and monitor its infrastructure for additional suspicious activity.

“We continue to analyse logs, validate secret rotation, and monitor for any follow-on activity. We will take additional action as the investigation warrants,” the company posted on X.