3,800 Repos, One Extension, Zero Excuses

Key quote:

1/ We are sharing additional details regarding our investigation into unauthorized access to GitHub’s internal repositories.

Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately.

Why it matters: One developer at GitHub installed a VS Code extension. That single click handed an attacker access to roughly 3,800 internal repositories. TeamPCP’s now shopping the stolen source code around for a $50,000 minimum, and threatening to just give it away for free if nobody bites.

The VS Code extension problem is real and unsolved. Organizations can restrict which extensions developers install, but they can’t control what those extensions do once they’re running. Extensions run with full user privileges: filesystem access, credentials, SSH keys, environment variables. No sandbox. No permission model. That’s a platform gap Microsoft needs to close, and until they do, every VS Code shop carries this risk.

But the extension was the entry point, not the blast radius. The blast radius came from access controls that let one employee’s tokens reach 3,800 repositories. Unless someone at GitHub is legitimately maintaining all 3,800 of those, that’s a failure of least privilege at a company that should know better.

The stakes extend past a source code sale. TeamPCP’s previously announced a partnership with Lapsus$ and the Vect ransomware group, providing initial access while Vect handles encryption and extortion. GitHub’s internal code becoming seed material for a coordinated ransomware operation changes the math considerably.

And it’s probably only a question of when, not if, agentic AI compounds the problem. As coding assistants and autonomous agents get broader repository access for convenience, we’re recreating the same conditions: entities with sweeping permissions nobody will audit until something breaks, which is way too late. The difference, unfortunately, is speed. An AI agent with unscoped access won’t stop at 3,800 repos because it has to click through them. It’ll clone everything it can reach in seconds.

GitHub detected the breach on May 19 and rotated critical credentials overnight, which is evidence of a good incident response process. But good IR doesn’t fix bad access controls. Allowlist your extensions, pin your dependencies, and scope your tokens. The next breach through a VS Code extension isn’t a matter of if. Whether it reaches 3,800 repos or 38 depends on decisions organizations make.