GitHub Got Hit Through a Poisoned VS Code Extension Nobody Saw Coming

 A poisoned VS Code extension breached GitHub’s internal repositories. Around 3,800 repos may be exposed as GitHub rotates secrets and investigates the attack.

A single employee’s device. That was the way in. GitHub confirmed it detected and contained a compromise involving a poisoned VS Code extension installed on an internal device. The malicious extension version has since been removed. The endpoint was isolated. Incident response started immediately after detection, the company said.

The platform first flagged unusual activity in a post on X, saying it was investigating unauthorized access to its internal repositories. No evidence of impact to customer data held outside those internal systems had been found at that point.

What Got Taken and How Deep It Goes

The attacker later claimed access to approximately 3,800 repositories. GitHub, on X, said that figure was “directionally consistent” with what the investigation has uncovered so far.

The breach traces back to a supply chain attack on developer tooling. Not a direct system penetration. Someone poisoned an extension developers trust daily, waited, and collected what came through.

GitHub noted in a follow-up post that critical secrets were rotated the same day the breach was detected and throughout that night. Highest-impact credentials moved first. The company continued validating those rotations and monitoring for follow-on activity.

Binance Founder Weighs In

Changpeng Zhao, known on X as @cz_binance, quoted GitHub’s initial incident disclosure. His message was blunt: anyone with API keys stored in code, even in private repositories, should double-check and rotate them now.

Private repos aren’t a safe place for secrets. That was the point. Per @github on X, only GitHub-internal repositories appear to have been touched. Enterprises, organizations, and customer-owned repositories on the platform fall outside the scope of what was accessed, based on current findings.

That could change. GitHub was clear that the investigation remains open and that further action would follow if warranted.

GitHub’s Timeline Since Detection

The response moved fast, at least on the secrets side. Critical credentials were prioritized within hours. Logs are still being analyzed. GitHub said on X it plans to publish a fuller report once the investigation wraps up.

No timeline was given for when that report lands.

The broader pattern here isn’t entirely new. Developer tools have become a recurring entry point for attackers who prefer patience over brute force. A trusted extension, installed on a legitimate device, inside a major infrastructure company. The math is straightforward if you’re willing to wait.

GitHub reiterated in its X thread that customers would be notified through established incident response channels if any impact to their data is discovered.

The investigation is ongoing.

The post GitHub Got Hit Through a Poisoned VS Code Extension Nobody Saw Coming appeared first on Live Bitcoin News.