← All PostsGitHub Got Hacked Through a VS Code Extension
CybersecurityDeveloper ToolsGitHub

GitHub Got Hacked Through a VS Code Extension

May 28, 2026

On May 20, 2026, GitHub confirmed what nobody wants to admit is possible: one of its own employees installed a malicious VS Code extension, and attackers used that single device to walk out with nearly 4,000 of GitHub's internal repositories.

The attacker group is TeamPCP. The price tag on the stolen data: $50,000, listed on a criminal forum.

What Happened, Step by Step

On May 20, 2026, GitHub confirmed a poisoned VS Code extension installed on an employee's device gave an attacker access to roughly 3,800 GitHub-internal repositories.

The threat actor — TeamPCP, also tracked by Google Threat Intelligence as UNC6780 — used that foothold to clone roughly 3,800 of GitHub's internal repositories and has reportedly listed the data for sale on a criminal forum at upwards of $50,000.

GitHub's own statement confirmed the scope: "Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only. The attacker's current claims of ~3,800 repositories are directionally consistent with our investigation so far."

GitHub assesses that customer repositories, enterprise accounts, and user data are not affected. The compromise is, on current evidence, confined to GitHub's own corporate estate.

The Extension That Started It

The specific extension used to breach GitHub was the Nx Console — a widely-used VS Code plugin for Nx monorepo management with 2.2 million installs and a verified publisher badge on the Visual Studio Marketplace.

The trojanized version was live on Visual Studio Marketplace for only 18 minutes — between 12:30 p.m. and 12:48 p.m. UTC on May 18, 2026. But that 18-minute window was enough to distribute a credential stealer capable of harvesting sensitive data from 1Password vaults, Anthropic Claude Code configurations, npm, GitHub, and AWS.

Every user with auto-update on got the malicious version. GitHub's employee was one of them.

The Malware Behind It: Mini Shai-Hulud

TeamPCP deployed Mini Shai-Hulud — their adapted version of a self-replicating worm first documented in 2025, which largely automates supply chain attacks by stealing CI/CD credentials and using them to publish infected versions of further packages.

The malware uses the GitHub Search API as a covert communication channel, polling api.github.com/search/commits every hour for a specific keyword, and employs public GitHub commits to hide commands in plain sight. It extracts commands from commit messages, verifies them using a built-in RSA public key, and downloads and executes attacker-provided Python payloads.

Using GitHub's own infrastructure to communicate. That's the kind of thing that walks straight past most monitoring tools.

This Is One Attack in a Much Longer Campaign

The GitHub breach didn't happen in isolation. Google Threat Intelligence Group formally tracks TeamPCP as UNC6780 — a financially motivated threat actor specialising in supply chain attacks targeting open-source security utilities and AI middleware. Trend Micro tracked at least seven confirmed waves spanning Trivy, Checkmarx KICS, LiteLLM, elementary-data, Bitwarden CLI, TanStack, and Mistral AI.

In one wave alone, hackers took over a developer account and released over 630 malicious versions across 317 packages in about 20 minutes.

The GitHub breach is the highest-profile hit yet — but it's part of a systematic campaign that's been running all year.

Why Your IDE Is Now a Primary Attack Surface

This is yet another case of developer devices being compromised through tooling developers trust implicitly. Trust, not sophistication, is what makes attacks like this work. These are not sketchy packages from unknown publishers. They are tools developers use without thinking twice, precisely because they have the install count, the verified publisher badge, and the marketplace legitimacy that signal safety. That signal is now the target.

A malicious extension can read sensitive source code files, access local project directories, capture authentication tokens, interact with integrated terminal sessions, extract cloud credentials from AWS, Azure, or GCP, and steal CI/CD secrets and configuration files.

One extension. One device. 3,800 repos.

What to Do Right Now

These are the controls that actually matter:

Audit your installed extensions. Go through every VS Code extension on your machine. Remove anything you don't actively use or can't verify. Uninstall doesn't fully clean the damage if you already ran a malicious version, but it stops further exposure.

Disable auto-update on VS Code extensions. VS Code updates extensions silently by default. Go to Settings → Extensions → disable auto-update. Review updates manually before applying.

Rotate your credentials. If you had VS Code open with any developer credentials accessible — GitHub tokens, AWS keys, npm tokens, SSH keys — rotate them now. Don't wait.

Check your CI/CD secrets. If your machine has access to any pipeline secrets, treat them as potentially compromised and rotate them too.

Review extension permissions. Extensions in VS Code run with the same privileges as your user account. There is no sandbox. Treat every extension install like a npm install from an unknown source.

Sources: Help Net Security, VentureBeat, The Hacker News, Aikido, Sophos