GitHub Confirms Breach of 3,800 Internal Repositories

GitHub confirmed that roughly 3,800 of its internal repositories were accessed after an employee installed a malicious Visual Studio Code extension ^[1].

The incident highlights a critical vulnerability in the software supply chain, demonstrating how a single compromised developer tool can expose thousands of private assets.

The breach was detected on May 19, 2026 ^[2]. According to company reports, the unauthorized access occurred after a GitHub employee installed a poisoned third-party extension for VS Code, a popular code editor ^[1], ^[3]. This extension served as the entry point for attackers to reach the platform's internal code repositories ^[1], ^[5].

Security researchers said the attack targeted the developer's environment to bypass standard security perimeters. Once the extension was active on the employee's device, it provided the necessary access to penetrate the internal systems where the repositories are stored ^[1], ^[4].

GitHub reported the breach on May 20, 2026 ^[3]. The company said the impact was limited to internal repositories, which contain the proprietary code used to build and maintain the platform ^[1], ^[4].

While the company has not disclosed the specific nature of the code stolen, the volume of affected repositories—approximately 3,800 ^[1]—suggests a significant exposure of internal intellectual property. The event underscores the risks associated with third-party plugins in integrated development environments (IDEs), which often possess high-level permissions to interact with a developer's file system, and network ^[5].

GitHub is currently investigating the full extent of the data accessed through the malicious extension. The company said it has not yet identified the actors responsible for the poisoned extension ^[1], ^[3].