HomeIntelligenceBrief
BREACH BRIEF🟠 High Breach

GitHub Internal Repositories Stolen via Poisoned VS Code Extension, Data Put Up for Sale

GitHub confirmed that attackers stole roughly 3,800 internal repositories after a developer installed a poisoned Visual Studio Code extension. The stolen code is now being offered for sale, raising concerns about exposure of proprietary source code and embedded secrets for any organization that relies on GitHub for development.

LiveThreat™ Intelligence · 📅 May 21, 2026· 📰 databreachtoday.com
🟠
Severity
High
BR
Type
Breach
🎯
Confidence
High
🏢
Affected
1 sector(s)
Actions
3 recommended
📰
Source
databreachtoday.com

GitHub Internal Repositories Stolen via Poisoned VS Code Extension, Data Put Up for Sale

What Happened — Hackers exfiltrated roughly 3,800 internal GitHub repositories after a developer installed a malicious Visual Studio Code extension. The stolen code was later listed for sale on BreachForums and the Lapsus$ data‑leak site for $50‑95 k.

Why It Matters for TPRM

  • A supply‑chain compromise of a widely‑used development tool can affect any organization that relies on GitHub for code storage.
  • Exposure of internal repositories may reveal proprietary source code, secrets, and credentials, increasing downstream risk to customers and partners.
  • The incident underscores the need for strict extension vetting and endpoint hardening in developer workstations.

Who Is Affected — Technology SaaS providers, software development teams, and any third‑party that integrates with GitHub’s APIs.

Recommended Actions

  • Review your organization’s use of third‑party VS Code extensions; enforce a whitelist.
  • Rotate any credentials or secrets that may have been stored in the compromised repositories.
  • Verify that your GitHub permissions follow the principle of least privilege and enable MFA for all accounts.

Technical Notes — Attack vector: a poisoned VS Code extension (likely the Nx Console) delivered via the VS Code marketplace, representing a third‑party dependency compromise. No known CVE; data exfiltrated includes source code, configuration files, and potentially embedded secrets. Source: DataBreachToday

📰 Original Source
https://www.databreachtoday.com/github-hacked-internal-repositories-offered-for-sale-a-31739

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · PrivacyOps · CookiePLUS

A privacy incident is a question about your consent record.

CookiePLUS and Verisq AI Trust Operations keep consent, DSAR, and data-handling evidence continuously ready — so a data-exposure event finds you prepared, not scrambling.

See how Verisq AI Trust Operations handles privacy →