GitHub investigates unauthorized access to internal repositories

GitHub disclosed that it detected and contained a compromise of an employee device on Monday, May 18, involving a poisoned VS Code extension published by a third party.

The company says it removed the malicious extension version, isolated the affected endpoint, and began incident response immediately. GitHub’s current assessment is that the activity involved exfiltration of GitHub-internal repositories only. The company said the attacker’s claim of roughly 3,800 repositories is directionally consistent with its investigation so far.

GitHub says it has no evidence that customer information stored outside GitHub’s internal repositories was affected. That includes customers’ own enterprises, organizations, and repositories. Some internal repositories may contain customer-related information, including excerpts of support interactions, and GitHub said it will notify customers through established incident response channels if any customer impact is found.

The company rotated critical secrets beginning Monday and continuing into Tuesday, prioritizing the highest-impact credentials first. GitHub says it is continuing to analyze logs, validate secret rotation, and monitor infrastructure for follow-on activity.

GitHub said it will publish a fuller report after the investigation is complete. The disclosure was written by GitHub Chief Information Security Officer Alexis Wales.

Source: https://github.blog/security/investigating-unauthorized-access-to-githubs-internal-repositories/