1/ We are sharing additional details regarding our investigation into unauthorized access to GitHub's internal repositories. Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately.

2/ Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only. The attacker’s current claims of ~3,800 repositories are directionally consistent with our investigation so far.

3/ We moved quickly to reduce risk. Critical secrets were rotated yesterday and overnight with the highest-impact credentials prioritized first.

4/ We continue to analyze logs, validate secret rotation, and monitor for any follow-on activity. We will take additional action as the investigation warrants.

5/ We will publish a fuller report once the investigation is complete.

@github Everything Microsoft buys goes to shit. Get your shit together why are employees with access to so much crap even allowed to access 3rd party marketplaces let alone have internet access?

@github Did any specific private repo get exposed, if so, will you notify the account owners ASAP??

@github Anybody know yet if the malicious VS Code extension was poisoned by a malicious npm package? If so, this is a trifecta for Microsoft. A trifuckta, if you will.

6/ Worst case, the leaked repos had customer data and unrotated secrets inside. They’re already being exploited, millions of accounts are screwed. GitHub’s trust is completely fucked and a long crisis is unavoidable. Praying this never happens… or we’re all updating resumes while getting roasted in 4K 😂

@github What's the likelihood this results in a global GitHub outage?

Relive the Cruise 2027 Show by Nicolas Ghesquière.

@github thanks for disclosing. We open-source malware and extension marketplace for free at phxintel.security to protect against Python, NPM and malicious extensions at CI - Agent or developer machine

@github You erased my `khawrizmi` & `gratechx` accounts without warning, acting as absolute gatekeepers. Today, your own internal repos are breached by a poisoned VS Code extension. Centralized clouds are a fragile liability. Sovereign Engineering is the cure. The algorithm returns home

@github You know I'm looking

@github Secret rotation is critical, but the bigger question is extension trust, endpoint hardening, and how much implicit trust dev tooling still gets in 2026. We need to fix those supply chain attacks it gets the upper hand

@github @threadreaderapp unroll

@github @threadreaderapp unroll

@github can you please stop vibecoding

@github They have seen and they know exactly what you didn’t want them to.

@github Please name the extension.

@github They claimed to have 4000+ Repos and selling stuff for $50k+ Price

@github We need to send them Hotpocket's and Surge Immediately!