GitHub hit by network compromise
Incident
Summary
Hide ▲
Show ▼
GitHub is investigating unauthorized access to its internal repositories after a third party allegedly offered stolen material for sale on a cybercrime forum. The intrusion was linked to a poisoned VS Code extension on an employee device and appears to have exposed internal source code and development data. GitHub said it removed the malicious extension, isolated the endpoint, and began incident response to contain the exposure. Later reporting said the access covered thousands of internal repositories and that critical secrets were rotated; no evidence of customer data outside the internal repositories has been identified so far.
Related Happenings
Codfish/semantic-release-action hit by network compromise
Incident
H score21
First: 26.06.2026 14:05
Last: 26.06.2026 14:05
Sources 1
About this happening:
The **codfish/semantic-release-action** GitHub Action was hit by a **malicious commit force-push** and **tag redirection** that caused trusted workflows to run attacker code. The...
Codfish/semantic-release-action hit by network compromise
IncidentAbout this happening: The **codfish/semantic-release-action** GitHub Action was hit by a **malicious commit force-push** and **tag redirection** that caused trusted workflows to run attacker code. The...
Claude Code GitHub Action bot trigger bypass security flaw
Vulnerability
H score31
First: 04.06.2026 18:15
Last: 04.06.2026 18:15
Sources 1
About this happening:
**Anthropic's Claude Code GitHub Action** had a **trigger-check bypass** that let a malicious **GitHub issue** escalate into **repository takeover** for vulnerable public reposito...
Claude Code GitHub Action bot trigger bypass security flaw
VulnerabilityAbout this happening: **Anthropic's Claude Code GitHub Action** had a **trigger-check bypass** that let a malicious **GitHub issue** escalate into **repository takeover** for vulnerable public reposito...
Laravel Lang organization hit by network compromise
Incident
H score14
First: 23.05.2026 23:48
Last: 23.05.2026 23:48
Sources 1
About this happening:
The **Laravel Lang organization** suffered a **repository compromise** that let attackers rewrite **GitHub tags** and ship malicious code through **Composer** installs. The affect...
Laravel Lang organization hit by network compromise
IncidentAbout this happening: The **Laravel Lang organization** suffered a **repository compromise** that let attackers rewrite **GitHub tags** and ship malicious code through **Composer** installs. The affect...
Megalodon GitHub CI/CD supply-chain campaign
Campaign
H score50
First: 22.05.2026 14:55
Last: 22.05.2026 14:55
Sources 1
About this happening:
The **Megalodon** campaign pushed **5,718 malicious commits** into **5,561 GitHub repositories** in about **six hours**, creating a broad **CI/CD secret-theft** risk across develo...
Megalodon GitHub CI/CD supply-chain campaign
CampaignAbout this happening: The **Megalodon** campaign pushed **5,718 malicious commits** into **5,561 GitHub repositories** in about **six hours**, creating a broad **CI/CD secret-theft** risk across develo...
GitHub data exposed after GitHub breach
Data Leak
H score35
First: 20.05.2026 11:14
Last: 20.05.2026 11:14
Sources 1
How related:
Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only. The attacker's current claims of ~3,800 repositories are directionally consistent with our investigation so far.
About this happening:
GitHub confirmed **exfiltration** of **internal repositories**, making private code and related content potentially available to outsiders. Attackers on the **Breached cybercrime...
GitHub data exposed after GitHub breach
Data LeakHow related: Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only. The attacker's current claims of ~3,800 repositories are directionally consistent with our investigation so far.
About this happening: GitHub confirmed **exfiltration** of **internal repositories**, making private code and related content potentially available to outsiders. Attackers on the **Breached cybercrime...
Timeline
-
20.05.2026 13:45 1 articles · 1mo ago
GitHub removes malicious VS Code extension and isolates endpoint
Mitigation Patch UpdateGitHub detected unauthorized access tied to a poisoned Visual Studio Code (VS Code) extension on an employee device, removed the malicious extension version, isolated the endpoint, and began incident response to contain exposure across internal repositories.
Show sources
- GitHub Confirms Breach of Internal Repositories Via Malicious VS Code Extension — www.infosecurity-magazine.com — 20.05.2026 13:45
-
20.05.2026 13:45 2 articles · 1mo ago
GitHub confirms unauthorized access to 3,800 internal repositories
Initial DisclosureGitHub confirmed that a third party gained unauthorized access to 3,800 internal repositories; the intrusion was linked to a poisoned VS Code extension, and TeamPCP claimed the breach on Breached while demanding at least $50,000 for the stolen data and warning that it could be leaked for free if no buyer emerged.
Show sources
- GitHub Confirms Breach of Internal Repositories Via Malicious VS Code Extension — www.infosecurity-magazine.com — 20.05.2026 13:45
- GitHub Breach Traced to Malicious 'Nx Console' VS Code Extension — www.infosecurity-magazine.com — 21.05.2026 17:45
-
20.05.2026 11:14 2 articles · 1mo ago
GitHub detects employee-device compromise via poisoned VS Code extension
Exploitation ObservedGitHub detected a compromise of an employee device involving a poisoned VS Code extension, removed the malicious extension version from the VS Code marketplace, isolated the endpoint, and began incident response.
Show sources
- GitHub confirms breach of 3,800 repos via malicious VSCode extension — www.bleepingcomputer.com — 20.05.2026 11:14
- GitHub confirms breach of 3,800 repos via malicious VSCode extension — www.bleepingcomputer.com — 20.05.2026 11:14
-
20.05.2026 07:01 3 articles · 1mo ago
GitHub investigates unauthorized access to internal repositories
Initial DisclosureGitHub said it is investigating unauthorized access to its internal repositories after TeamPCP listed GitHub source code and internal organizations for sale on a cybercrime forum, with the alleged dump said to include about 4,000 repositories. GitHub said it currently has no evidence of impact to customer information stored outside its internal repositories and is closely monitoring its infrastructure for follow-on activity, with customer notification to follow through established incident response and notification channels if any impact is discovered.
Show sources
- GitHub Investigating TeamPCP Claimed Breach of ~4,000 Internal Repositories — thehackernews.com — 20.05.2026 07:01
- GitHub investigates internal repositories breach claimed by TeamPCP — www.bleepingcomputer.com — 20.05.2026 08:08
- GitHub confirms breach of 3,800 repos via malicious VSCode extension — www.bleepingcomputer.com — 20.05.2026 11:14
-
20.05.2026 07:01 3 articles · 1mo ago
GitHub investigates unauthorized access to internal repositories
Initial DisclosureGitHub said it is investigating unauthorized access to its internal repositories after TeamPCP listed GitHub source code and internal organizations for sale on a cybercrime forum, with the alleged dump said to include about 4,000 repositories. GitHub said it currently has no evidence of impact to customer information stored outside its internal repositories and is closely monitoring its infrastructure for follow-on activity, with customer notification to follow through established incident response and notification channels if any impact is discovered.
Show sources
- GitHub Investigating TeamPCP Claimed Breach of ~4,000 Internal Repositories — thehackernews.com — 20.05.2026 07:01
- GitHub investigates internal repositories breach claimed by TeamPCP — www.bleepingcomputer.com — 20.05.2026 08:08
- GitHub confirms breach of 3,800 repos via malicious VSCode extension — www.bleepingcomputer.com — 20.05.2026 11:14
-
20.05.2026 07:01 3 articles · 1mo ago
GitHub investigates unauthorized access to internal repositories
Initial DisclosureGitHub said it is investigating unauthorized access to its internal repositories after TeamPCP listed GitHub source code and internal organizations for sale on a cybercrime forum, with the alleged dump said to include about 4,000 repositories. GitHub said it currently has no evidence of impact to customer information stored outside its internal repositories and is closely monitoring its infrastructure for follow-on activity, with customer notification to follow through established incident response and notification channels if any impact is discovered.
Show sources
- GitHub Investigating TeamPCP Claimed Breach of ~4,000 Internal Repositories — thehackernews.com — 20.05.2026 07:01
- GitHub investigates internal repositories breach claimed by TeamPCP — www.bleepingcomputer.com — 20.05.2026 08:08
- GitHub confirms breach of 3,800 repos via malicious VSCode extension — www.bleepingcomputer.com — 20.05.2026 11:14