GitHub confirms 3,800 repositories compromised by malicious VSCode extension

GitHub confirmed that roughly 3,800 inner repositories have been compromised after one in all its workers put in a malicious VS Code extension.

The corporate has since eliminated the unnamed Trojanized extension from the VS Code market to guard compromised gadgets.

“Yesterday, we detected and contained a compromise of an worker’s gadget that contained a malicious VS Code extension. We eliminated the malicious extension model, remoted the endpoint, and instantly initiated incident response,” the corporate stated.

“Our present evaluation is that this exercise concerned the exfiltration of solely inner GitHub repositories. The attackers’ present claims of roughly 3,800 repositories are directionally in keeping with our investigation thus far.”

This comes after GitHub instructed BleepingComputer on Tuesday evening that it was investigating allegations of unauthorized entry to inner repositories, including that there was no proof that buyer knowledge saved outdoors of the affected repositories was affected.

GitHub has not but disclosed the supply of the breach, however the TeamPCP hacker group on Tuesday claimed entry to GitHub’s supply code and “roughly 4,000 non-public code repositories” on a breach cybercrime discussion board and demanded no less than $50,000 for the stolen knowledge.

“As all the time, this isn’t a ransom. We, Github, should not focused on extorting a single purchaser. The info shall be shredded on our finish. It appears like our retirement is close to, so if we will not discover a purchaser, we are going to leak it without spending a dime,” the cybercriminals stated. “In case you are , please ship your provide to the contact particulars under. We’re not focused on lower than 50,000. We are going to get you one of the best provide.”

TeamPCP has beforehand been related to large-scale provide chain assaults concentrating on developer code platforms resembling GitHub, PyPI, NPM, Docker, and extra lately with the “Mini Shai-Hulud” provide chain marketing campaign (which additionally affected two OpenAI workers).

VS Code extensions are plugins you could set up from the VS Code Market, the official retailer for add-ons for Microsoft’s code editor, so as to add performance or combine instruments into your editor.

This isn’t the primary time {that a} Trojanized VS Code extension has been found available on the market, as a number of different malicious extensions which have been put in hundreds of thousands of occasions over the previous few years have been used to steal developer credentials and different delicate knowledge.

For instance, final 12 months, a VSCode extension that was put in 9 million occasions was eliminated attributable to safety dangers, and one other 10 masqueraded as legit improvement instruments to contaminate customers with the XMRig cryptominer.

Later this 12 months, a malicious extension with fundamental ransomware performance crept into the VS Code market after a risk actor named WhiteCobra flooded the positioning with an extension that stole 24 cryptocurrencies.

Most lately, in January, two malicious extensions promoting AI-based coding assistants had 1.5 million installs, exfiltrating knowledge from compromised developer techniques to servers in China.

GitHub’s cloud-based platform is presently utilized by greater than 4 million organizations (together with 90% of the Fortune 100) and greater than 180 million builders contributing to greater than 420 million code repositories.