GitHub's 3,800 Repositories Stolen Through a Single IDE Extension
On May 19, 2026, a single VS Code extension on a single employee's device gave attackers access to 3,800 of GitHub's internal repositories. GitHub confirmed the breach the following morning, disclosed that it had rotated critical credentials and cryptographic keys overnight, and identified the financially motivated hacking group TeamPCP as responsible. The stolen source code appeared on cybercrime forums within hours, with TeamPCP demanding between $50,000 and $95,000 depending on the listing.
This is the platform that hosts the world's software supply chain. The platform that publishes guidance on secure software delivery, maintains the GitHub Actions ecosystem, and stores the source code for millions of organizations. It was compromised through an IDE extension.
The GitHub breach did not happen in isolation. It is the fifth successful supply chain compromise attributed to TeamPCP (tracked by Google Threat Intelligence as UNC6780) since March 2026. The pattern across all five is consistent. Target developer tooling that handles credentials. Harvest everything reachable. Use those credentials to spread.
| Target | Date | Vector | Blast Radius |
| Aqua Security Trivy | March 2026 | Compromised GitHub Actions tags (CVE-2026-33634) | 10,000+ CI/CD workflows |
| Checkmarx KICS | March 2026 | Malicious VS Code plugins on OpenVSX | 36,000+ extension downloads |
| LiteLLM (PyPI) | March 2026 | Compromised maintainer credentials | 95M monthly downloads, ~500K machines |
| TanStack + Mistral AI | May 2026 | Legitimate release pipeline abused, valid SLSA provenance | 84+ npm packages |
| GitHub | May 19, 2026 | Poisoned VS Code extension on employee device | 3,800 internal repositories |
TeamPCP has also partnered with the Lapsus$ extortion group for monetization, and the collaboration explains the shift from credential harvesting to direct data sales. The convergence between supply chain attackers and high profile extortion groups is creating a compounding effect across the cloud native ecosystem. The campaign is not slowing down. TeamPCP has publicly stated it will continue, claiming upcoming operations aimed at stealing terabytes of trade secrets with its partners.
The Extension Blind Spot
The deeper story here is not that GitHub got breached. Breaches happen to the best resourced organizations on the planet. The deeper story is what this breach reveals about the state of supply chain risk in 2026. The attack surface has expanded into layers that most organizations have not yet governed, and threat actors have noticed before defenders have.
The day before GitHub disclosed its breach, a separate and apparently unrelated incident hit the Nx Console VS Code extension. Nx Console has 2.2 million installations. According to StepSecurity, the compromised version deployed a multi stage credential stealer capable of harvesting tokens from GitHub, npm, AWS, HashiCorp Vault, Kubernetes, and 1Password. It exfiltrated data through three independent channels.
The malicious version was live for approximately 11 minutes before being pulled. Eleven minutes sounds fast until you consider how many machines auto update extensions in that window.
Two VS Code extension compromises in two days. One hit 2.2 million potential victims. The other hit GitHub itself. Both exploited the same structural reality. VS Code extensions have full, unrestricted access to everything on the developer's machine.
This is the extension blind spot. Most organizations today have extensive governance over their production environments. Servers run EDR agents. Cloud workloads operate under IAM policies scoped to least privilege. SaaS applications require SSO and MFA. Even developer laptops have endpoint protection deployed. But the code running inside the IDE sits entirely outside that governance. There is no permission model. No approval workflow. No inventory of installed extensions. No monitoring of what those extensions access.
The same organization that requires three approvals for a new SaaS subscription allows any developer to install arbitrary code execution environments in their IDE with no oversight whatsoever.
This started as a gap. The threat landscape moved faster than governance could adapt, and extension security was simply not on the radar. That explanation held in 2024. It does not hold in May 2026. TeamPCP has now compromised five organizations through developer tooling in three months. The Shai Hulud worm family has been tracked since September 2025. The IDEsaster vulnerability class demonstrated in March 2026 that every major AI IDE was vulnerable to extension layer exploitation. The evidence is overwhelming and public. At this point, the absence of extension governance is a choice.
The extension blind spot is a symptom of a broader condition. Supply chain risk has expanded into the developer tooling layer, the build pipeline, the package registry, and the IDE itself. Organizations that have not extended their supply chain risk management programs to cover these surfaces are exposed in ways that traditional vendor risk assessments will never catch.
Why This Keeps Working
The Marketplace Nobody Governs
The VS Code marketplace hosts approximately 60,000 extensions from around 45,000 different publishers. According to research from Koi Security, only 1,800 of those extensions are verified. The marketplace has accumulated 3.3 billion combined installs. The average developer has approximately 40 extensions installed in their IDE.
The scale matters because it defines the attack surface. An attacker who compromises a single popular extension can reach millions of developers in a single move. The verification rate (roughly 3% of all extensions) means 97% of what developers install has no formal vetting beyond the marketplace's automated checks.
Academic Research Confirms the Structural Weakness
Peer reviewed research has consistently documented the problem. A 2024 study published at NDSS analyzed 25,402 VS Code extensions and discovered 21 extensions with verified code injection exploits impacting over 6 million installations. A separate analysis of 52,880 extensions found 5.6% exhibited suspicious behavior. A third study examining 27,261 extensions found 8.5% (2,325 extensions) exposed to credential related data leakage through commands, user input, and configurations.
The contrast with browser extensions makes this gap concrete. When you install a Chrome extension, you see a permission prompt. "This extension can read and change all your data on all websites." Chrome uses a declarative permission system where extensions must declare what they need upfront, and users explicitly grant access. Manifest V3 further restricted extensions from executing remote code entirely.
VS Code has none of this. No permission prompt. No declarative capability system. No restriction on remote code execution. An extension claiming to format JSON has identical technical capabilities to one managing cloud infrastructure. The workspace trust model is binary, and most developers grant full trust to avoid disruption.
The browser industry solved this problem a decade ago. The IDE industry has not even started.
VS Code extensions run in a dedicated Node.js Extension Host process with unrestricted access to the file system, network, and can spawn child processes with the same privileges as the VS Code application itself. In practical terms, installing a VS Code extension is equivalent to running an arbitrary Node.js application with the developer's full user permissions.
This extends beyond VS Code. Cursor, Windsurf, Kiro, and other AI powered IDEs are built on the same VS Code foundation. They inherit the same extension trust model. The AI development boom has multiplied the number of developer tools with this exact vulnerability class. According to Lyrie Research, 73 sleeper malicious extensions have already been deployed across Open VSX, and two unpatched Cursor sandbox escapes enable code execution from extensions in 2026.
The Supply Chain Attack Trend Is Accelerating
The broader industry data supports what TeamPCP's campaign makes viscerally obvious. Third party involvement in breaches has gone from 9% in 2022 to 48% in 2025 according to Verizon's DBIR series. That is a fivefold increase in three years. Vulnerability exploitation has followed the same trajectory, rising from 5% of breaches in 2022 to 34% in 2025, overtaking credential theft as the leading breach vector. The median time for full patching increased to 43 days.
Developer tooling attacks are the natural evolution of this trend. SolarWinds (2020) compromised a build pipeline to distribute backdoored updates to 18,000 organizations. Codecov (2021) modified a bash uploader script to exfiltrate credentials for two months undetected, affecting GoDaddy, IBM, HPE, and Atlassian. Supply chain attacks jumped over 300% in 2021 alone according to Sonatype's State of the Software Supply Chain report.
The difference in 2026 is the attack surface has shifted further upstream. The targets are no longer just build systems and package registries. They are the developer's IDE itself, the tool used to write the code before it ever reaches a pipeline. TeamPCP understood this before the industry did.
EDR Cannot See It
EDR tools operate at the process and file system level. They detect known malware signatures, suspicious process trees, and anomalous network behavior. But a VS Code extension making authenticated API calls to GitHub using the developer's own credentials looks identical to normal IDE behavior. The malicious activity is indistinguishable from legitimate operation because it is using the same interfaces, the same credentials, and the same access patterns as a legitimate extension.
Most security teams still have zero visibility into what extensions are installed on their developers' machines. That is the blind spot these attacks keep walking through.
What Defenders Should Do
The organizations that will avoid becoming the next entry on TeamPCP's list are the ones that extend their existing security governance to cover the developer tooling layer. The gap exists because this layer grew outside traditional security boundaries. Closing it requires deliberate action.
Implement extension allow listing. VS Code's `AllowedExtensions` policy (available since v1.96) lets organizations control exactly which extensions can install. Deploy it via Microsoft Intune, Active Directory Group Policy, or any MDM solution. The configuration is granular: allow by publisher (`"microsoft": true`), by specific extension (`"esbenp.prettier-vscode": true`), or pin to specific versions (`"dbaeumer.vscode-eslint": ["3.0.0"]`). When enforced, unapproved extensions cannot install and become disabled if already present. This is the single highest impact control available today.
Build an extension inventory. Security teams cannot govern what they cannot see. Organizations need visibility into what extensions are installed across their developer fleet, when they were last updated, and who published them. Treat this inventory with the same rigor applied to software asset management for production systems.
Isolate credentials from the developer desktop. The fundamental problem is that developer workstations hold persistent credentials to sensitive systems. Short lived credentials, hardware bound tokens, and just in time access models reduce the blast radius when a workstation is compromised. A stolen OAuth token that expires in fifteen minutes is worth significantly less than a long lived personal access token with repository admin scope.
Segment developer access by project scope. A developer working on a frontend feature should not have credentials to infrastructure repositories loaded in the same IDE session. Scoped access models limit what any single compromised extension can reach.
Treat developer workstations as part of the attack surface. The same assume breach posture organizations apply to servers and cloud workloads needs to extend to developer machines. Monitor for anomalous extension behavior. Alert on unusual outbound connections from IDE processes. Include developer workstations in threat hunting hypotheses.
Apply zero trust to the tooling layer. We have written previously that zero trust should extend to the dependency graph. The same principle applies to the IDE itself. Every extension, every plugin, every integration running inside a developer's IDE is executing with implicit trust that is rarely evaluated. That trust should be earned, monitored, and revocable.
Supply Chain Risk Is No Longer Optional to Manage
The GitHub breach is a data point on a trend line that has gone from 9% third party involvement in breaches in 2022 to 48% in 2025. TeamPCP alone has hit five organizations in three months. The question for security leaders is no longer whether supply chain risk is material. It is whether their organization has done anything structured to measure and manage it.
Most organizations run vendor risk assessments for their SaaS providers and cloud vendors. Far fewer extend that same rigor to the software supply chain, the development tooling, or the extensions running on every developer workstation. The governance gap is not theoretical anymore. It is the active attack surface that the most effective threat actors of 2026 exploit repeatedly and successfully.
The extension blind spot is the most visible symptom. The underlying condition is supply chain risk that has outgrown the governance structures most organizations built to manage it.
At a Glance
What happened. On May 19, 2026, TeamPCP compromised a GitHub employee's device through a poisoned VS Code extension and exfiltrated 3,800 internal repositories. This is their fifth successful supply chain attack in three months.
Why it matters. VS Code extensions have full, unrestricted access to everything on a developer's machine. No sandbox, no permission model, no approval workflow. 97% of the 60,000 extensions in the marketplace are unverified. The browser industry solved this a decade ago. The IDE industry has not started.
The trend. Third party involvement in breaches went from 9% to 48% in three years according to Verizon's DBIR series. Supply chain attacks are shifting upstream from build systems and package registries into the IDE itself, the tool used to write code before it ever reaches a pipeline.
What to do. Deploy VS Code's `AllowedExtensions` policy via Intune or GPO. Build an extension inventory. Isolate credentials with short lived tokens. Include developer workstations in threat hunting. Extend third party risk assessments to cover developer tooling and open source dependencies.
Who is affected. Any organization using VS Code, Cursor, Windsurf, or other VS Code based IDEs. The extension trust model is inherited across all of them.
Sources:
- SecurityWeek, "GitHub Confirms Hack Impacting 3,800 Internal Repositories," May 20, 2026
- HackRead, "GitHub Breach: TeamPCP Steals 3,800 Repositories via VS Code Extension," May 20, 2026
- SecurityWeek, "From Trivy to Broad OSS Compromise: TeamPCP Hits Docker Hub, VS Code, PyPI," May 2026
- StepSecurity, "Nx Console VS Code Extension Compromised," May 2026
- The Record, "GitHub confirms being hacked by TeamPCP, says customer data unaffected," May 20, 2026
- Aikido Security, research on VS Code extension attack surface, May 2026
- Verizon, "Data Breach Investigations Report," 2023, 2024, 2025, 2026 editions
- Koi Security, "Exposing Malicious Extensions: Shocking Statistics from the VS Code Marketplace," 2026
- NDSS 2024, "Developers Are Victims Too: A Comprehensive Analysis of The VS Code Extension Ecosystem"
- Lyrie Research, "The Compromised Workbench: Definitive 2026 Defensive Playbook Against IDE Extension Supply Chain Attacks," 2026
- Sonatype, "State of the Software Supply Chain Report," 2021
-1.png)
.png)
.png)
.png)
