# GitHub's Internal Repositories Compromised Through Malicious VS Code Extension

*Published May 22, 2026*
*Source: [https://thehackernews.com/2026/05/github-internal-repositories-breached.html](https://thehackernews.com/2026/05/github-internal-repositories-breached.html)*

## Executive Summary

GitHub's internal repositories were breached through a compromised employee device using a malicious version of a Visual Studio Code extension. The attack, part of a broader supply chain compromise, underscores the need for enhanced security in developer tools and open-source distribution.

## Article

GitHub has disclosed that a breach of its internal repositories resulted from the compromise of an employee's device via a tainted version of the Nx Console extension for Microsoft Visual Studio Code. This incident is linked to the broader TanStack supply chain attack, which also affected companies like OpenAI and Grafana Labs. The breach allowed a cybercriminal group known as TeamPCP to exfiltrate around 3,800 repositories. GitHub has taken immediate measures to contain the situation and is monitoring for any further activity.

Alexis Wales, GitHub's Chief Information Security Officer, stated that there is no evidence of customer information being impacted outside of GitHub's internal repositories. However, some internal repositories do contain customer information, such as support interaction excerpts. Customers will be notified if any impact is detected.

The breach underscores the vulnerabilities in developer tools and open-source distribution. Jeff Cross from Narwhal Technologies emphasized the need for fundamental changes in securing these tools. The trojanized VS Code extension was briefly available on the Visual Studio Marketplace, but this short period was sufficient for attackers to distribute a credential-stealing program targeting sensitive data from various platforms.

TeamPCP's pattern of exploiting trusted tools to further their attacks highlights the interconnected nature of modern software. The auto-update feature in extension marketplaces, intended for convenience, can inadvertently aid such attacks by allowing compromised publishers to push malicious updates directly to users.
