GitHub says that attackers gained access to the platform’s internal repositories via a malicious extension for Visual Studio Code. According to the company, there are currently no indications that customer data or private repositories have been compromised, but the scale of the incident is causing concern among developers.
GitHub reported on X: “We are investigating unauthorized access to GitHub’s internal repositories. At this time, we have no indication that customer information outside of those internal repositories—such as enterprise environments, organizations, or customer repositories—has been compromised. However, we are closely monitoring our infrastructure for any potential follow-up activity.”
Later, the platform announced that a poisoned VS Code extension was likely the entry point for the attack. GitHub says it is currently analyzing log files, replacing access credentials, and conducting additional monitoring to detect follow-up activities by attackers. This is reported by DevClass.
Claims of thousands of repositories
According to GitHub, the attackers’ claims regarding approximately 3,800 compromised repositories align with the initial investigation findings. This may involve the same group linked to the Shai-Hulud malware campaign. That malware has been circulating within the npm ecosystem for some time and is associated with multiple attacks on development environments.
Reports have appeared online in which the attackers claim to be offering internal GitHub source code for sale. They mention approximately 4,000 repositories. The group reportedly stated that they would make the code public if no buyer is found. Such statements have not yet been independently confirmed.
Among developers, the main question is whether the attack is limited to internal GitHub systems or if customer environments are also at risk. If attackers have gained long-term access via stolen credentials, this could eventually have consequences for commercial code, secrets, and other sensitive data.
Security specialists have long pointed out that developers sometimes still store passwords, API keys, or tokens in repositories. This also happens in private repositories, despite the risk that such data could still be leaked later.
The attack also follows a series of previous security issues involving GitHub and the broader software ecosystem. Last month, Wiz Research reported a vulnerability allowing remote code execution in GitHub.com and GitHub Enterprise Server. Researchers noted at the time that the vulnerability was easy to exploit.
Criticism of GitHub is growing
The incident also fuels broader criticism of GitHub. In recent months, the platform has already faced attacks via npm packages linked to Shai-Hulud-related code. Critics argue that GitHub has not taken sufficient action, despite earlier warnings about abuse.
In addition, developers are complaining about stability issues and the impact of AI scrapers that are massively scraping public repositories to train AI models. Partly because of this, HashiCorp founder Mitchell Hashimoto recently stated that, in his opinion, GitHub is “no longer suitable for serious development work.”
At the same time, interest is growing in alternatives that offer more control over code storage and infrastructure. Among others, Forgejo and the Codeberg platform based on it are being mentioned.
GitHub has announced that it will release a more comprehensive investigation report once its internal investigation is complete.