Investigating unauthorized access to GitHub's internal repositories

On Monday May 18, we detected and contained a compromise of an employee device involving a poisoned VS Code extension published by a third party. We removed the malicious extension version, isolated the endpoint, and began incident response immediately.

Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only. The attacker’s current claims of ~3,800 repositories are directionally consistent with our investigation so far.

We have no evidence of impact to customer information stored outside of GitHub’s internal repositories, such as our customer’s own enterprises, organizations, and repositories. Some of GitHub’s internal repositories contain information from customers, for example, excerpts of support interactions. If any impact is discovered, we will notify customers via established incident response and notification channels.

We moved quickly to reduce risk. We rotated critical secrets Monday and into Tuesday with the highest-impact credentials prioritized first.

We continue to analyze logs, validate secret rotation, and monitor our infrastructure for any follow-on activity. We will take additional action as the investigation warrants.

Investigating unauthorized access to GitHub's internal repositories

Other newsrooms on this story

Related reading

GitHub Internal Repositories Breached via VS Code Extension

Other newsrooms on this story

Related reading

GitHub Internal Repositories Breached via VS Code Extension

GitHub says a data breach impacted 3,800 internal repositories.

GitHub says internal repos exfiltrated after poisoned VS Code extension attack

GitHub Got Breached Through a VS Code Extension. MCP Servers Are Next.

GitHub confirms breach of 3,800 repos via malicious VSCode extension

Hacker group hits 3,800 internal GitHub repositories via poisoned developer…