GitHub confirmed the breach: attackers gained access to roughly 3800 internal repositories after an employee installed a malicious VS Code extension.
- Vector: an infected VS Code extension installed on a GitHub employee’s workstation.
- Scale: around 3800 internal repositories within reach, plus the possibility of pivoting deeper into internal systems.
- Response: isolation of the compromised machine, rotation of critical API tokens, ongoing monitoring of the infrastructure for further attacker activity.
- Takeaway for teams: the extension marketplace is a real attack surface - worth enforcing an allowlist of approved tools and treating the IDE as just another production dependency.
A classic supply-chain move - the attacker doesn’t go after production, they go after the developer’s laptop. How does your team vet IDE extensions before installation?
Source: sekurak.pl