GitHub Hack Alert: What You Need to Do With Your API Keys and Credentials Today

GitHub confirmed on Tuesday that attackers gained unauthorized access to its internal repositories after compromising an employee device through a poisoned Visual Studio Code extension. The Microsoft-owned platform detected and contained the compromise, removed the malicious extension, isolated the affected endpoint, and began incident response immediately.

The company said its current assessment is that the breach involved exfiltration of GitHub-internal repositories only. Customer repositories, enterprise organisations, and user data stored outside GitHub’s internal systems are not believed to have been affected.

The Scale of the Breach

GitHub confirmed that the attacker’s claims of approximately 3,800 internal repositories are directionally consistent with its own investigation. Threat group TeamPCP has claimed responsibility for the breach and is reportedly attempting to sell the stolen dataset on underground cybercrime forums for more than $50,000. The group alleges the data includes proprietary platform source code and internal organisation files from roughly 4,000 private repositories.

GitHub said it moved quickly to rotate critical credentials after detecting the breach, prioritising the highest-impact secrets first. The company is continuing to analyse logs, validate secret rotation, and monitor for follow-on activity.

Why Internal Repository Access Is Serious

The company said it has no evidence of impact to customer information stored outside internal repositories. Security researchers noted that the specific phrasing matters. No evidence of impact is not a confirmation that customer data is safe. It means the investigation is ongoing and the full blast radius has not yet been determined.

Internal repositories typically contain infrastructure configurations, deployment scripts, internal API documentation, staging credentials, feature flags, monitoring hooks, and undocumented services. Access to internal source code effectively provides a blueprint of an entire system’s architecture, even without direct access to customer data.

Security professionals also flagged GitHub’s explicit mention of monitoring for follow-on activity as significant. Modern attacks rarely stop at initial access. The standard progression moves from initial foothold through reconnaissance, privilege escalation, persistence, and then a second wave of targeted activity after defenders believe the threat has been contained.

What GitHub Is Doing

GitHub said critical secrets were rotated the same day the breach was detected with the most sensitive credentials addressed first. The company is continuing to monitor infrastructure for any secondary activity and will publish a fuller incident report once the investigation is complete. Customers will be notified through established incident response channels if any impact to their data is discovered.

Developers using GitHub have been advised to review and rotate any API keys stored in repositories as a precaution, even where customer repositories are not believed to have been directly affected.