OrganisationUS

GitHub

Microsoft-owned software development hosting platform and the world's largest code repository, used by over 100 million developers globally.

Last refreshed: 29 May 2026 · Appears in 1 active topic

Key Question

How did a fake VS Code extension give attackers access to 3,800 GitHub repos?

Timeline for GitHub

#518 May

GitHub's own code cloned via add-on

Cybersecurity: Threats and Defences

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

Was GitHub hacked in 2026?: In May 2026, an attacker trojanised a VS Code extension and used it to clone roughly 3,800 of GitHub's internal private repositories. GitHub said customer repositories and user data were not affected.Source: GitHub statement, May 2026
How did UNC6780 get into GitHub?: UNC6780 published a malicious version of the Nx Console VS Code extension. A GitHub employee installed it, and on startup it cloned internal repositories to an attacker-controlled server.Source: cyber-threats-and-defences Update 416
Did the GitHub 2026 breach affect customer code?: GitHub stated that customer repositories, enterprise accounts, and end-user data were not accessed. Only GitHub's own internal private repositories were compromised.Source: GitHub statement, May 2026
Why are VS Code extensions a security risk?: Extensions run with full user privileges inside the IDE and can execute arbitrary code, access the filesystem, and make network requests. A trojanised extension installed by a privileged developer can exfiltrate credentials or clone private repositories silently.Source: event

Background

GitHub suffered a significant internal security breach on 18 May 2026 when a GitHub employee installed a trojanised build of the Nx Console VS Code extension (v18.95.0). The malicious code, attributed to the threat group UNC6780, executed on startup and cloned approximately 3,800 of GitHub's internal private repositories within the brief window the extension was live. GitHub confirmed that customer repositories, enterprise accounts, and user data were not accessed.

Founded in 2008 and acquired by Microsoft for $7.5 billion in 2018, GitHub is the world's largest code-hosting platform, serving over 100 million developers and hosting more than 420 million repositories. It is the primary distribution channel for open-source software and the backbone of most commercial software supply chains. Its Visual Studio Marketplace hosts tens of thousands of developer extensions, making it a high-value vector for supply-chain attacks.

The May 2026 incident illustrates that supply-chain threats extend to the development platforms themselves, not only to the software they host. A single malicious extension targeting a privileged insider can yield access equivalent to a direct network compromise. The episode adds to a broader pattern in which developer tooling — package registries, IDE extensions, build systems — is weaponised to reach organisations that maintain otherwise strong perimeter defences.

Source Material

GitHub — Wikipedia About GitHub

How the World Sees Them

United States

GitHub, Microsoft-owned, is critical infrastructure for US software development; federal agencies that depend on its supply chain face heightened insider-threat scrutiny following the breach.

European Union

EU regulators evaluating NIS2 and CRA compliance will note that even major platform operators are vulnerable to supply-chain compromise via their own employees' tooling.

Global developer community

The incident raises pressure on Microsoft to enforce code-signing and sandboxing for VS Marketplace extensions, a gap the developer community has flagged for years.