Blog Security
SecurityCoding

GitHub got hacked. Not because of a zero-day. Because of trust.

· David Krcek · 9 min read
GitHub got hacked. Not because of a zero-day. Because of trust.

The cybersecurity industry loves its narratives. When things go wrong, please let it be a spectacular zero-day, a highly sophisticated nation-state operation, a previously unknown flaw in some exotic protocol. Reality is usually much more mundane.

In May 2026, GitHub lost access to roughly 3,800 internal repositories because a developer installed a tampered VS Code extension. No kernel exploit. No hypervisor breakout. No mysterious NSA magic. A plugin. A piece of software that did exactly what developers do thousands of times every day: install, update, trust.

That is why I find this incident interesting. Not because GitHub got hacked, but because GitHub got hacked the same way hundreds of other companies have been hacked recently. The so-called TeamPCP incident marks another turning point in the evolution of modern supply-chain attacks. At its center sat no classic vulnerability, but a compromise of the developer supply chain itself: extensions, tokens, local credentials, build processes, developer workstations. The significance extends far beyond GitHub. Practically every company with modern development processes uses comparable tools, identical trust models, and similar CI/CD architectures.

The attack on GitHub

According to current findings, a GitHub employee installed a tampered version of a VS Code extension. Several reports later named “Nx Console” as the extension involved. The manipulated build was only available in the marketplace for a few minutes, but it was installed and executed nonetheless.

That was enough.

VS Code extensions do not run in an isolated sandbox. They have access to files, processes, terminals, environment variables, and frequently to every developer credential stored locally. That is exactly where TeamPCP went to work. After installation, credentials, tokens, and other developer artifacts were harvested. With that information the attackers gained access to GitHub-internal systems and began cloning and exfiltrating internal repositories. GitHub later confirmed that the roughly 3,800 repositories named by the attackers were “directionally consistent” with the company’s own investigation.

The stolen data was subsequently offered for sale in cybercrime forums. Asking price: USD 50,000.

Timeline

Early May 2026. First indicators of tampered VS Code extensions surface in security forums and incident-response communities.

Mid-May 2026. Several developers report suspicious activity around VS Code extensions and unusual access to GitHub repositories.

May 18-20, 2026. The TeamPCP group publishes claims about successful access to internal GitHub repositories.

Shortly after. The stolen data is offered for sale in underground forums. Security researchers begin analyzing the attack chain.

Days later. Further campaigns using similar mechanisms appear. Security firms warn of copycat attacks on developer environments.

GitHub was not the target

Anyone treating this as an isolated GitHub mishap has missed the larger picture. GitHub was merely the next domino.

TeamPCP has been running large-scale supply-chain attacks for months. Targets included npm packages, PyPI repositories, GitHub Actions, Docker images, VS Code extensions, and CI/CD environments. Security researchers now speak of one of the most aggressive software-supply-chain campaigns in recent years.

The group follows a remarkably simple playbook:

  1. Compromise developers.
  2. Steal credentials.
  3. Tamper with trusted software.
  4. Infect new victims.
  5. Repeat.

What makes this notable is not the technical sophistication, but the scale.

Technical analysis

The attack followed a textbook modern supply-chain pattern.

Supply-chain attack path: VS Code Marketplace → developer workstation → GitHub/CI/CD → downstream supply chain

The decisive weakness sat not inside GitHub, but in the high level of trust granted to developer workstations. Once a compromised plugin runs locally, it often has access to:

  • GitHub personal access tokens
  • SSH keys
  • cloud credentials
  • CI/CD secrets
  • local build artifacts
  • browser sessions
  • terminal history
  • Kubernetes configurations
  • Docker credentials

The developer environment itself becomes the primary target.

The death of the trust model

The software industry rests on an unspoken contract. If something sits in the official marketplace, it must be safe. If a publisher is verified, it must be trustworthy. If a package has millions of downloads, somebody must have checked it.

2026 has been demolishing these assumptions almost weekly.

The compromised extension reportedly carried a legitimate publisher context. Other TeamPCP campaigns compromised existing maintainer accounts, official build pipelines, and established open-source projects. In some cases even Microsoft-adjacent packages were laced with malicious code.

The implication: the attacker no longer needs to bypass security controls. They simply take over the systems those controls already trust.

Structural causes

The root cause does not reduce to a single bad decision. The attack became possible through a combination of structural problems:

  • over-privileged developer workstations
  • long-lived tokens and credentials
  • missing isolation for VS Code extensions
  • blind trust in marketplace content
  • absence of control over external dependencies
  • excessive rights inside CI/CD systems
  • local storage of sensitive secrets
  • missing hardware binding for critical credentials

The real vulnerability was not the tampered extension. The real vulnerability was the security model.

Classic security misses this entirely

Many companies invest millions in endpoint security, SIEM systems, and vulnerability scanners. TeamPCP barely cares. Most of these tools look for known weaknesses.

This attack had no relevant CVE. No known vulnerability. No exploit. The malware arrived as a regular update through an official channel.

That is exactly why the current wave of supply-chain attacks is so dangerous for many companies. You cannot patch what was never vulnerable. You cannot detect a signature when the software ships with legitimate certificates. And you cannot close a CVE when the actual problem is human trust.

Risk analysis

The impact of these attacks is substantial. Affected parties are not just individual developers or companies, but potentially entire software supply chains.

A compromised developer account can grant access to:

  • proprietary source code
  • customer data
  • signing infrastructure
  • cloud environments
  • production systems
  • build servers
  • container registries
  • internal security tooling

Particularly critical is the ability to propagate compromised artifacts through regular CI/CD processes. This creates cascading effects that reach far beyond the original victim.

Detection guidance

Companies should actively hunt for these indicators right now:

  • unusual VS Code extension installations
  • unexpected token usage
  • new or unknown GitHub personal access tokens
  • suspicious repository clones
  • anomalous access to CI/CD secrets
  • changes to build pipelines
  • unknown processes inside VS Code
  • suspicious network connections from developer devices
  • changes to GitHub Actions
  • new SSH keys or OAuth authorizations

Systems with access to production clouds or central build infrastructure deserve particular attention.

Incident-response checklist

In case of a suspected compromise, the following measures should be taken at minimum:

  1. rotate all developer tokens immediately
  2. revoke GitHub PATs
  3. renew CI/CD secrets
  4. review OAuth authorizations
  5. inventory VS Code extensions
  6. inspect build systems for tampering
  7. replace SSH keys
  8. preserve audit logs
  9. perform forensic analysis on developer devices
  10. verify repository integrity
  11. rotate cloud credentials
  12. analyze network telemetry

Speed is decisive here. Supply-chain attacks frequently escalate within hours.

The uncomfortable inventory questions

Every company with developer workstations should be asking itself some uncomfortable questions right now.

Which VS Code extensions were installed in the past few weeks? Which extensions were updated automatically? Which GitHub tokens still exist? Which personal access tokens carry unnecessary permissions? Which CI/CD secrets have ever been used on developer devices? Which cloud credentials live locally on laptops? Which SSH keys are older than twelve months? Which build systems blindly trust external dependencies?

These questions matter far more than the question of whether you were directly hit by TeamPCP. The same attack technique is already being adopted by copycats.

The new reality for developers

For a long time the developer environment was considered a trusted zone. That was a mistake.

Developers today have access to cloud infrastructure, production systems, Kubernetes clusters, CI/CD pipelines, source-code repositories, signing keys, and secrets of every kind. For attackers, a developer device is often more valuable than a domain controller. That is exactly why modern attacks keep shifting in this direction.

The browser is being replaced by the IDE. The Office attachment is being replaced by the VS Code extension. The macro trojan is being replaced by the npm package.

The technique changes. The underlying principle does not.

The trust model has to die

The uncomfortable truth: this industry will not fix the problem with “more awareness.”

Developers have known for years that supply-chain attacks exist — just as end users have known for two decades that phishing exists. These attacks still work, because modern development environments are structurally built on blind trust.

That model needs to change.

Developer workstations can no longer be treated as fully trusted systems. Whoever has access to production clouds, CI/CD systems, signing keys, and internal repositories effectively operates a privileged administration system. Yet the same devices also run Slack, browser plugins, AI tools, VS Code extensions, and uncontrolled npm dependencies. From a security perspective that is madness.

Companies will have to accept that developer environments need much tighter controls going forward. Not out of distrust toward developers, but because developers have become one of the most valuable targets in the entire enterprise.

That means:

  • no local admin rights without technical necessity
  • no persistent cloud credentials on endpoints
  • no uncontrolled VS Code extensions from public marketplaces
  • no long-lived GitHub tokens
  • no build pipelines that blindly execute arbitrary external dependencies
  • no implicit chains of trust

Every extension, every package, every GitHub Action, every build artifact must be treated as potentially compromised. That does not mean open source is the problem. The problem is the naive automation of trust.

The industry has gotten used to running foreign code daily, directly inside privileged development environments — often entirely unreviewed. That culture is now collecting the bill.

The consequence will be uncomfortable: more isolation, more sandboxing, more signed artifacts, more reproducible builds, more short-lived credentials, more hardware-bound authentication, more zero-trust principles inside the developer environment itself.

Many developers will perceive this as constraint. The alternative is playing out in public right now. If a single tampered plugin is enough to grant access to thousands of internal repositories of one of the largest software companies in the world, the plugin is not the actual problem. The entire security model is broken.

Prevention strategies

Companies should treat modern developer environments like highly critical production systems. That means:

  • hardening developer workstations
  • device-binding credentials
  • mandatory hardware authentication
  • isolated build environments
  • reproducible builds
  • least privilege for CI/CD systems
  • full dependency transparency
  • centrally managed extension repositories
  • mandatory code-signing processes
  • aggressive secret rotation
  • continuous monitoring of developer environments

Reducing implicit trust will be especially important. Zero trust cannot stop at the developer environment.

Closing

The GitHub incident is not a story about GitHub. It is a story about trust. About an ecosystem that has gotten used to installing millions of lines of foreign code automatically. About developers installing extensions the way people once installed browser plugins. About companies confusing signatures and publisher badges with security.

TeamPCP did not discover a new vulnerability. They simply demonstrated how fragile the modern software supply chain has become. That is what makes this incident more dangerous than many classic vulnerabilities.

A zero-day can be patched. A broken trust model cannot.

David Krcek
David Krcek
AI, Apple Silicon, coding experiments, SwiftUI, and attitude.
Read more