**How GitHub Confirmed a Breach of 3,800 Repositories** GitHub confirmed that approximately **3,800 internal repositories** were breached after an employee installed a **malicious VS Code extension**. The company detected and contained the compromise, removed the malicious extension from the VS Code marketplace, isolated the affected device, and initiated incident response. **Key Details:** - **Attack Vector:** A poisoned VS Code extension installed by an employee. - **Impact:** Exfiltration of GitHub-internal repositories only; no evidence of customer data or external repositories being affected. - **Attribution:** The breach is linked to the **TeamPCP** hacker group, which claimed access to ~4,000 private repositories and offered them for sale on a cybercrime forum for at least $50,000. - **Broader Context:** TeamPCP is also responsible for the **"Mini Shai-Hulud" supply-chain campaign**, which compromised hundreds of npm and PyPI packages, affecting companies like Mistral AI, OpenAI, TanStack, and others. **Additional Findings:** - **Mistral AI** confirmed a breach of nearly 450 repositories (5GB of internal code) via the same supply-chain attack, with hackers demanding $25,000. - **OpenAI** reported that two employees' devices were breached in the TanStack supply-chain attack, leading to credential theft and rotation of code-signing certificates. - **Grafana** also suffered a breach via a stolen GitHub token, with the CoinbaseCartel extortion gang claiming responsibility. **Conclusion:** The GitHub breach highlights the growing threat of malicious VS Code extensions and supply-chain attacks targeting developer ecosystems. While GitHub assures that customer data remains unaffected, the incident underscores the need for heightened security measures in software development environments.