GitHub Discloses Internal Infrastructure Breach Leading to Exfiltration of Proprietary Source Code and 3800 Repositories via Visual Studio Marketplace Extension
GitHub has officially disclosed the breach into their internal development infrastructure that resulting in the exfiltration of proprietary source code. On their communication channels, an official statement was posted by the GitHub security team, which stated that the breach caused the exfiltration of around 3800 internal repositories. The source of the intrusion was determined to be the compromise of an employee's workstation which had been infected by a poisoned third party extension available in the Visual Studio Code marketplace.
1/ We are sharing additional details regarding our investigation into unauthorized access to GitHub's internal repositories.
— GitHub (@github) May 20, 2026
Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version,…
The company mentioned that containment steps were initiated as soon as the malicious activity was identified within their network. The security team isolated the affected user's workstation and withdrew the malicious version of the extension from the public marketplace. Critical infrastructure credentials are currently being rotated by the developers to prevent any further compromise; the company is prioritizing high value access keys. It was clearly stated that customer data, private repositories and user accounts were untouched, since the attack was targeting GitHub's internal corporate infrastructure only.
The engineering team is currently analyzing system logs to validate that the credentials have been successfully rotated and to look for any additional follow up malicious activity. A full post incident report is being prepared, and GitHub promises to release it once their internal investigation is complete. This incident occurs shortly after another that involved a United States Cybersecurity and Infrastructure Security Agency (CISA) contractor publicly revealing their cloud server login details due to poor password hygiene rather than a vulnerability in the GitHub platform itself.
