A poisoned VS Code extension compromised a GitHub employee device on May 18, triggering exfiltration of GitHub-internal repositories. The attacker claims roughly 3,800 repositories were taken, and GitHub's investigation calls that number directionally accurate. Critical secrets were rotated starting Monday, with highest-impact credentials prioritized first.
No evidence currently links the breach to customer-owned enterprises, organizations, or repositories. The caveat: some internal GitHub repos contain customer data fragments, including support interaction excerpts. If that changes, GitHub says notification goes through standard incident response channels.
The investigation is live. Log analysis, secret rotation validation, and infrastructure monitoring are ongoing. GitHub has promised a full post-mortem when it wraps. The original post is worth reading for the specific advisory reference, GHSA-c9j4-9m59-847w, which details the nx-console extension vector and is the thread to pull if you want to understand the attack surface.
[READ ORIGINAL →]