GitHub, arguably the place for developers to store and share code, has been the target of a cyberattack. The Microsoft-owned platform reported on Tuesday that its internal repositories experienced unauthorised access, although it does not appear to have exposed customer information outside of that.
"Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only," GitHub shared most recently on X, "The attacker’s current claims of ~3,800 repositories are directionally consistent with our investigation so far."
The attack reportedly took place via a compromised employee device "involving a poisoned [Visual Studio] Code extension." GitHub did not name the specific developer extension that was leveraged in the breach, nor the attacker. GitHub continues, "We removed the malicious extension version, isolated the endpoint, and began incident response immediately."
Backdoors placed in useful extensions is not a novel route of attack. For example, one bad actor snaffling up 31 WordPress plugins and placing a backdoor in all of them. For another, security researchers claimed last year that 35 Chrome extensions with over 4,000,000 installs 'include some kind of spyware or infostealer'
GitHub's highest-impact credentials have now been rotated, and the platform says it is continuing to keep an eye out for any further unauthorised access. The platform will share a full report on the security incident in the near future.
According to Bleeping Computer, hacker group TeamPCP have since claimed responsibility for the GitHub attack via the Breached cybercrime forum. The group says it's gained access to both GitHub source code, plus over "4,000 repos of private code." However, the cybercriminals' motivations are not so clear cut; the alleged attackers write, "As always this is not a ransom; we do not care about extorting Github."
"One buyer and we shred the data on our end," the group continues, "It looks like our retirement is soon, so if no buyer is found we will leak it [for] free. If you are interested, send your offers to the communications below. We are not interested in under 50k—the best offer will get it."
