GitHub has confirmed a significant security breach that exposed nearly 3,800 internal repositories after a developer’s device was compromised through a malicious Visual Studio Code extension in a suspected supply chain cyberattack.

The platform said unauthorized actors gained access to GitHub’s internal infrastructure after malware infected an employee endpoint via a poisoned VS Code extension, allowing attackers to exfiltrate sensitive internal repositories.

According to GitHub, the breach was limited to internal company repositories containing infrastructure configurations, deployment scripts and internal development tools. The company stressed that there is currently no evidence suggesting customer data or external corporate repositories were affected.

The cybercrime group known as TeamPCP has reportedly claimed responsibility for the attack and allegedly placed the stolen data for sale on a major hacking forum, raising fresh concerns about software supply chain security risks.

Security analysts say the incident highlights growing threats linked to compromised developer tools and malicious software extensions increasingly being used to infiltrate major technology companies.

GitHub stated that it immediately isolated the compromised device, removed the malicious extension and rotated critical security credentials overnight in an effort to contain the breach and prevent further unauthorized access.

Cybersecurity experts warn that attacks targeting software development environments can have far-reaching consequences because compromised internal systems may expose sensitive infrastructure and development pipelines.

The incident also underscores rising concerns surrounding third-party software dependencies and extension ecosystems widely used by developers worldwide.

Technology observers say supply chain attacks have become one of the most dangerous forms of cyber intrusion as hackers increasingly target trusted development tools and platforms rather than directly attacking corporate networks.

The breach comes amid growing global alarm over escalating cyber threats targeting technology companies, cloud infrastructure providers and software development ecosystems.

Analysts believe the incident could further intensify calls for stricter verification and security screening mechanisms for third-party extensions and developer tools used across enterprise environments.