🔥 Controversy⭐ Top story✓ VerifiedMay 23, 2026

GitHub Hacked via Poisoned VS Code Extension, 3,800 Repos Stolen

GitHub confirmed hackers stole 3,800 internal repositories after employee installed compromised Nx Console extension on May 18, 2026.

←AMD Bets $10 Billion on Taiwan to Challenge Nvidia's AI Dominance OpenAI's AI Solves 80-Year-Old Math Problem Autonomously→

Insta's take

"The trust model for developer tools is broken. One poisoned VS Code extension at GitHub compromised 3,800 repos—if it can happen there, your developers are sitting ducks."

GitHub disclosed on May 20, 2026 that approximately 3,800 internal repositories were stolen after an employee installed a poisoned version of the Nx Console VS Code extension (version 18.95.0). The TeamPCP hacking group, tracked by Google as UNC6780, claims responsibility and is demanding at least $50,000 for the stolen data.

The malicious extension was published on May 18 and ran credential-stealing code on any developer who opened a workspace between 12:36 and 12:47 UTC. GitHub responded by removing the extension, isolating the affected device, and rotating critical secrets overnight. TeamPCP has conducted at least seven confirmed supply chain attacks targeting developer tools including Trivy, Checkmarx KICS, LiteLLM, Bitwarden CLI, TanStack, and Mistral AI, previously breaching the European Commission through similar methods.

This incident highlights the vulnerability of development environments where VS Code extensions run with full editor privileges. Internal repositories contain infrastructure configurations, deployment scripts, and API schemas—making this an infrastructure intelligence leak beyond a simple data breach. GitHub has not confirmed customer data exposure, but the attack demonstrates how a single compromised developer tool can expose critical systems at major software companies.

Why Insta thinks this matters

Developer tools have become the primary attack vector for supply chain breaches, with extensions and plugins often running with unrestricted system access. Organizations must treat developer environment security as critical infrastructure, implementing stricter controls around tool installation and credential management. For regulated industries, source code breaches trigger compliance obligations and audit consequences beyond traditional data breach protocols.

Sources

TechCrunch↗VentureBeat↗