Major Security Breach at GitHub via Malicious VS Code Extension Confirmed
Microsoft-owned GitHub confirmed on May 20, 2026, that approximately 3,800 internal repositories were breached after an employee installed a malicious Visual Studio Code extension. The company detected the compromise on May 19 and immediately began containment procedures, removing the poisoned extension from the VS Code Marketplace and isolating the affected device.
The breach was linked to a trojanized version of the Nx Console extension, a popular development tool with over 2.2 million installations. The malicious version remained active for just 18 minutes but was enough to harvest GitHub tokens, SSH keys, AWS credentials, and other sensitive developer credentials. The attack was claimed by TeamPCP, a cybercrime group known for sophisticated supply chain attacks, who are demanding at least $50,000 for the stolen data.
“We removed the malicious extension version, isolated the endpoint, and began incident response immediately,” GitHub stated. “Critical secrets were rotated yesterday and overnight with the highest-impact credentials prioritized first.” The incident highlights growing concerns about developer tooling as an attack vector, with security experts warning that IDE extensions can bypass traditional security controls. GitHub has confirmed that no customer data stored outside internal repositories was affected.
Source: BleepingComputer