Malicious VS Code Extension Exfiltrates ~3,800 GitHub Internal Repositories
What Happened — An employee installed a trojanized Visual Studio Code extension from the official marketplace. The malicious extension compromised the workstation, allowing attackers to exfiltrate roughly 3,800 internal GitHub repositories. GitHub detected the breach, removed the extension, isolated the endpoint, and began incident response, but the data had already been stolen.
Why It Matters for TPRM —
- Supply‑chain attacks can bypass traditional perimeter defenses by compromising trusted developer tools.
- Exposure of internal source code may reveal proprietary algorithms, security controls, and third‑party dependencies, increasing downstream risk for customers and partners.
- The incident highlights the need for strict vetting of third‑party extensions and continuous monitoring of employee workstations.
Who Is Affected — Technology SaaS platforms, cloud‑hosted development environments, and any organization that integrates third‑party IDE extensions.
Recommended Actions —
- Review and restrict the use of third‑party VS Code extensions across your development teams.
- Enforce application allow‑listing and endpoint detection & response (EDR) on developer workstations.
- Conduct a code‑base audit to identify any potential exposure of proprietary code or credentials.
Technical Notes — Attack vector: a malicious VS Code extension (trojanized plugin) delivered via the official marketplace. No specific CVE was cited. Exfiltrated data: source code, configuration files, and potentially embedded secrets from ~3,800 internal repositories. Source: Security Affairs