{"id":9163,"date":"2026-05-20T15:40:40","date_gmt":"2026-05-20T06:40:40","guid":{"rendered":"https:\/\/cyberenso.jp\/?p=9163"},"modified":"2026-06-12T08:41:56","modified_gmt":"2026-06-11T23:41:56","slug":"github-breached-employee-device-hack-led-to-exfiltration-of-3800-internal-repos","status":"publish","type":"post","link":"https:\/\/cyberenso.jp\/en\/github-breached-employee-device-hack-led-to-exfiltration-of-3800-internal-repos\/","title":{"rendered":"GitHub Breached Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos"},"content":{"rendered":"\n<p>GitHub has confirmed a security breach that resulted in unauthorized access to nearly 3,800 internal repositories after a malicious Visual Studio Code extension was installed on an employee&#8217;s device. According to the company&#8217;s investigation, the incident was traced to Nx Console version 18.95.0, a compromised extension that was published to the Visual Studio Code Marketplace on May 18, 2026. The extension contained hidden malicious code that allowed attackers to gain access to GitHub&#8217;s internal environment.<br>The attack has been attributed to TeamPCP, a threat group tracked by Google Threat Intelligence as UNC6780. Shortly after the breach became public, the group claimed responsibility and reportedly attempted to sell the stolen data on a cybercrime forum for at least $50,000.<br>GitHub stated that the compromise was limited to internal repositories and that there is currently no evidence that customer data stored outside its internal systems was affected. However, the company acknowledged that some internal repositories contained limited excerpts of customer support interactions.<br>In response, GitHub immediately began rotating sensitive credentials and security secrets, prioritizing those with the highest potential impact. The company also announced that a detailed incident report will be released once the investigation is complete.<br>Security researchers noted that this incident is part of a broader supply chain campaign carried out by TeamPCP throughout 2026. The group has previously targeted several well-known software projects and organizations, including Trivy, Checkmarx KICS, LiteLLM, Bitwarden CLI, TanStack, OpenAI, and Grafana.<br>The breach serves as another reminder of the growing risks associated with software supply chain attacks, where trusted tools and extensions are compromised to gain access to larger targets. As developers increasingly rely on third-party components, organizations are being urged to strengthen security monitoring, verify software integrity, and carefully review the tools used within their development environments.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>GitHub has confirmed a security breach that resulted in unauthorized access to nearly 3,800 internal repositories after a malicious Visual Studio Code extension was installed on an employee&#8217;s device. According to the company&#8217;s investigation, the incident was traced to Nx Console version 18.95.0, a compromised extension that was published to the Visual Studio Code Marketplace on May 18, 2026. The<span class=\"excerpt-hellip\"> [\u2026]<\/span><\/p>\n","protected":false},"author":1,"featured_media":9164,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[271,226,225,5,221],"tags":[],"class_list":["post-9163","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-data-breach","category-finance-and-legal","category-heavy-industry","category-ce_listen","category-national-infrastructure"],"acf":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/cyberenso.jp\/wp-content\/uploads\/2026\/06\/6a0f1175162bd3143f7333f5_GitHub-Data-Breach-1.webp?fit=1774%2C887&ssl=1","_links":{"self":[{"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/posts\/9163"}],"collection":[{"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/comments?post=9163"}],"version-history":[{"count":1,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/posts\/9163\/revisions"}],"predecessor-version":[{"id":9166,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/posts\/9163\/revisions\/9166"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/media\/9164"}],"wp:attachment":[{"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/media?parent=9163"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/categories?post=9163"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/tags?post=9163"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}