1/ We are sharing additional details regarding our investigation into unauthorized access to GitHub's internal repositories. Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately.

2/ Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only. The attacker’s current claims of ~3,800 repositories are directionally consistent with our investigation so far.

3/ We moved quickly to reduce risk. Critical secrets were rotated yesterday and overnight with the highest-impact credentials prioritized first.

Chat with the most truthful AI on Earth. Try Grok free today.

@github I'm a bit uncertain which repos are included in "Github-internal repositories". Does this refer to Github's own private/internal repos or also customer private repos?

@github this means private repos in the github organization? no customer private repos? github has 3800 internal repos?!

Why did the employee have access to ~3,800 repositories in the first place, instead of only the ones required for their actual work? This level of broad internal access appears to be a significant contributor to the breach. Least-privilege access control should have prevented this scale of exfiltration.

@github Hopefully @github notifies the affected users. 🤔

@github They exfiltrated 3800 internal repos.... So virtually every single repo that you guys have got breached..? It actually sounds like a worst case scenario for the long term security of GitHub. What an absolute disaster.

@github trillion dollar company btw. you have all the excuses in the world when you little app has this problem

@github @Grok Can you send the notification to those repo owners that were directly affected?

@github they told on themselves confirming the count. damage control dressed up as transparency.

Can your AI infrastructure run itself? SuperCloud Software Suite within Data Center Building Block Solutions unifies infrastructure control, automates deployment pipelines, empowers self-service AI tools, and supports GPU cloud operations.

@github internal repos only still wild

@github having the internal repos means an attacker knows where github's trust assumptions live and can now find the one assumption that isn't actually verified

@github @theo you gotta see this

@github "Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only" WHAT??? 🤦🏻

@github Consistent or inconsistent