GitHub Breach: Malicious VS Code Extension Used by TeamPCP to Exfiltrate 3,800 Private Repositories
What Happened — A threat actor identified as TeamPCP distributed a malicious Visual Studio Code extension that, when installed, harvested authentication tokens and silently cloned approximately 3,800 private GitHub repositories. The stolen source code was subsequently listed for sale on underground forums for a price of $95,000.
Why It Matters for TPRM
- Source‑code theft can reveal proprietary algorithms, product roadmaps, and embedded credentials, amplifying supply‑chain risk for downstream customers.
- The attack leveraged a trusted development tool, demonstrating how third‑party extensions can bypass traditional perimeter controls.
- Exposure of internal repositories may lead to downstream exploitation of undisclosed vulnerabilities in shipped products.
Who Is Affected — Technology SaaS providers, software development firms, fintech, health‑tech, and any organization that stores private code on GitHub or integrates VS Code into its dev pipeline.
Recommended Actions
- Conduct an immediate inventory of all VS Code extensions in use across your organization; remove any that are not from verified publishers.
- Rotate all GitHub personal access tokens and OAuth credentials that may have been compromised.
- Review GitHub audit logs for anomalous clone activity and enforce least‑privilege token scopes.
- Engage with GitHub’s security team to confirm the scope of the breach and obtain forensic guidance.
Technical Notes — Attack vector: malicious VS Code extension (third‑party dependency). No specific CVE cited. Data types exfiltrated: source code, configuration files, embedded API keys, and potentially proprietary intellectual property. Source: HackRead