GitHub confirmed a breach affecting roughly 3,800 internal repositories after an employee installed a trojanized VS Code extension. The company removed the malicious version from the marketplace, isolated the compromised device, and launched an immediate incident response. Its current assessment indicates only internal repositories were exfiltrated, aligning with attacker claims.

This incident follows TeamPCP's public auction of the stolen data, demanding at least $50,000. The group, linked to prior supply chain attacks on developer platforms like PyPI and NPM, stated the sale is a one-time transaction. GitHub has not officially attributed the breach but noted the exfiltration claims are directionally consistent with its investigation.

The attack vector—a poisoned extension from the official VS Code Marketplace—highlights a recurring threat. Similar incidents have involved extensions with millions of installs delivering cryptominers or ransomware. This breach underscores the persistent risk of supply chain compromises targeting developer tooling, a critical attack surface for software infrastructure.