GitHub Internal Repositories Stolen via Poisoned VS Code Extension, Data Put Up for Sale
What Happened — Hackers exfiltrated roughly 3,800 internal GitHub repositories after a developer installed a malicious Visual Studio Code extension. The stolen code was later listed for sale on BreachForums and the Lapsus$ data‑leak site for $50‑95 k.
Why It Matters for TPRM —
- A supply‑chain compromise of a widely‑used development tool can affect any organization that relies on GitHub for code storage.
- Exposure of internal repositories may reveal proprietary source code, secrets, and credentials, increasing downstream risk to customers and partners.
- The incident underscores the need for strict extension vetting and endpoint hardening in developer workstations.
Who Is Affected — Technology SaaS providers, software development teams, and any third‑party that integrates with GitHub’s APIs.
Recommended Actions —
- Review your organization’s use of third‑party VS Code extensions; enforce a whitelist.
- Rotate any credentials or secrets that may have been stored in the compromised repositories.
- Verify that your GitHub permissions follow the principle of least privilege and enable MFA for all accounts.
Technical Notes — Attack vector: a poisoned VS Code extension (likely the Nx Console) delivered via the VS Code marketplace, representing a third‑party dependency compromise. No known CVE; data exfiltrated includes source code, configuration files, and potentially embedded secrets. Source: DataBreachToday