GitHub has launched an investigation following the discovery of unauthorized access to its internal code repositories. The platform announced the security incident late Tuesday via its official X account, stating that incident response teams are closely monitoring the infrastructure for any subsequent malicious activity.
No Evidence of Customer Impact, yet
According to GitHub’s statement, the breach currently appears confined to the company’s own internal systems. The company emphasized that user data and customer-owned repositories remain unaffected at this time.
“We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity.”
GitHub has assured the developer community that if the ongoing investigation uncovers any compromise of user data or service disruptions, customers will be notified directly through existing incident response channels.
Update:
“We are sharing additional details regarding our investigation into unauthorized access to GitHub’s internal repositories.
Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately.
Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only. The attacker’s current claims of ~3,800 repositories are directionally consistent with our investigation so far.
We moved quickly to reduce risk. Critical secrets were rotated yesterday and overnight with the highest-impact credentials prioritized first.
We continue to analyze logs, validate secret rotation, and monitor for any follow-on activity. We will take additional action as the investigation warrants.
We will publish a fuller report once the investigation is complete.”
A Broader Trend of Source Code Targeting
The news of GitHub’s internal breach comes during a tense week for code repository security. Just days prior, on May 17, open-source observability platform Grafana Labs disclosed a separate incident where an unauthorized party gained access to its GitHub environment, stealing its codebase in an extortion attempt claimed by a threat group known as CoinbaseCartel.
While the GitHub internal repository breach and the Grafana incident have not been linked, they highlight an escalating trend of threat actors probing central DevOps infrastructure and source code management platforms for vulnerabilities.
