Discussion

• @github @github on x

  1/ We are sharing additional details regarding our investigation into unauthorized access to GitHub's internal repositories. Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version,

• @github @github on x

  2/ Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only. The attacker's current claims of ~3,800 repositories are directionally consistent with our investigation so far.

• @marclou Marc Lou on x

  > open X > your codebase has leaked > your NPM packages are fucked > your framework has security issues [image]

• @vxdb @vxdb on x

  > be GitHub Employee > browse VS Code Extensions > installs fancy new extension > fancy new extension is actually malware > GitHub gets breached

• @fortysevenfx François Best on x

  This is bad. Those repos likely contain the GitHub infrastructure: the next supply chain attack could be more hidden than cache poisoning if attackers find a vuln on GitHub itself. This is very, very bad.

• @tdinh_me Tony Dinh on x

  3800 internal repos leaked 😳

• @chribjel Christoffer Bjelke on x

  We need minimum release age for vs code extensions as well [image]

• @github @github on x

  3/ We moved quickly to reduce risk. Critical secrets were rotated yesterday and overnight with the highest-impact credentials prioritized first.

• @dyn___ Aaron Grattafiori on x

  VS code/Cursor extensions are a supply chain attack waiting to happen, and have many times... They all contain a crazy amount of node/JS junk, they're often owned by randos, they silently update, nobody looks at them and the security model is shit. Use restricted marketplaces.

• @github @github on x

  4/ We continue to analyze logs, validate secret rotation, and monitor for any follow-on activity. We will take additional action as the investigation warrants.

• @grahamhelton3 Graham Helton on x

  Ignore the ambulance chasers on this one, this could happen to any company very quickly. Interesting to think about a compromised endpoint leading to the exfil of 3.8k repos. I wonder what defenses would have stopped this, if they even exists.

• @nickadobos Nick Dobos on x

  “Directionally consistent” what a line. Poison vscode extension on employee laptop leaked GitHub's codebase. Dam. I was expecting some sort of crazy mythos hack but nope just someone downloading the wrong thing GitHub is not having a good time between getting hammered with

• @nathanmcnulty Nathan McNulty on x

  😭 VS Code extensions are no different than browser extensions - high risk that you should be controlling with an allowlist Yes, review and approval processes suck, but IR sucks even more https://code.visualstudio.com/ ... [image]

• @var_epsilon @var_epsilon on x

  3800 repos 😭😭

• @vxunderground @vxunderground on x

  GitHub, a company owned by Microsoft, was compromised. A GitHub employee browsing the VS Code marketplace, an asset owned and operated by Microsoft, inadvertently donated a malicious VS Code extension, which Microsoft offers guidance and best practices on to avoid [image]

• @oysta.au Christopher Owen on bluesky

  It's time to insource everything lest some goober in a company you have no oversight over does stupid shit like this [embedded post]

• @simoneb Simone on bluesky

  Cant talk, removing all the silly vscode extensions i have installed (sorry rainbow text and cute pets, i dont wanna be on the news) [embedded post]

• @ddsd.dolsen.net David Olsen on bluesky

  Big oof.  [embedded post]

• @cz_binance @cz_binance on x

  If you have API keys in your code, even private repos, now is the time to double check and change them...

• @evisdrenova Evis Drenova on x

  3800 repos exfiltrated is crazy

• @uwukko @uwukko on x

  they're helping github open source itself

• @quinnypig Corey Quinn on x

  GitHub would have been breached a month ago but their site wouldn't stay up long enough to get popped.

• @baldurbjarnason.com Baldur Bjarnason on bluesky

  People have been warning for years that many of the software development tools everybody is told to use were fundamentally insecure—in this case MS's VS Code—and now that long-ignored vulnerability has exposed another standard tool, GitHub  —  https://x.com/github/status/ 2056949…

• @dinodaizovi Dino A. Dai Zovi on x

  There are a lot of interesting things for defenders to study and learn from in this full end-to-end attack path. My guess: compromised developer poisons NPM module, which gets used by a VS Code extension, poisoning it. GitHub developer installs VS Code extension, runs

• @richardartoul Richard Artoul on x

  gotta respect GitHub for getting ahead of any potential competitors by going fully open source

• @h4x0r_dz @h4x0r_dz on x

  It is interesting that the GitHub team didn't share the name of the malicious VS Code Extensions why ???????????????????????

• @rekdt @rekdt on x

  Damn, how could it be possible GitHub got popped with a malicious VS Code extension when Mythos already solved Cybersecurity??

• @forgebitz Klaas on x

  software engineering in 2026: - your package manager is compromised - your cloud provider blocks your account - github itself is hacked software is solved

• @zachtratar Zach Tratar on x

  It's important for all software companies to be extremely defensive and safe right now. Assume most packages will get pwned. Reduce platform risk. Reduce code storage, deployment surface area. With today's GitHub announcement, even the big players are at risk. Breathtaking.

• r/webdev r on reddit

  GitHub confirms breach of 3,800 repos via malicious VSCode extension

• @jeffwsurf Jeff Wang on x

  Pretty soon on-premise deployments are going to be cool again