This incident highlights the supply chain risks associated with developer tools like IDE extensions. It demonstrates the importance of rapid incident response, secret rotation, and endpoint isolation in mitigating the impact of a compromised internal environment.
On Monday May 18, we detected and contained a compromise of an employee device involving a poisoned VS Code extension published by a third party. We removed the malicious extension version, isolated the endpoint, and began incident response immediately.
Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only. The attacker’s current claims of ~3,800 repositories are directionally consistent with our investigation so far.
We have no evidence of impact to customer information stored outside of GitHub’s internal repositories, such as our customer’s own enterprises, organizations, and repositories. Some of GitHub’s internal repositories contain information from customers, for example, excerpts of support interactions. If any impact is discovered, we will notify customers via established incident response and notification channels.
We moved quickly to reduce risk. We rotated critical secrets Monday and into Tuesday with the highest-impact credentials prioritized first.
We continue to analyze logs, validate secret rotation, and monitor our infrastructure for any follow-on activity. We will take additional action as the investigation warrants.
We will publish a fuller report once the investigation is complete.
The post Investigating unauthorized access to GitHub-owned repositories appeared first on The GitHub Blog.
Continue reading on the original blog to support the author
Read full articleFalse positives in security tools cause alert fatigue and erode developer trust. By using LLMs to understand code context, GitHub reduces noise by over 75%, ensuring engineers spend time fixing real vulnerabilities rather than triaging non-sensitive strings.
GitHub is rotating its GHES signing key following a cyber-attack to ensure the integrity of future updates. Engineers managing GHES instances must rotate GPG keys immediately to avoid update failures and maintain a secure, verified supply chain for their enterprise infrastructure.
This incident highlights how minor sanitization failures in internal protocols can lead to critical RCE. It underscores the importance of defense-in-depth, showing how removing unused code paths and robust telemetry can mitigate risks and verify the absence of exploitation.
Circular dependencies can paralyze recovery during outages. By using eBPF and cGroups, engineers can enforce network isolation for deployment scripts without impacting production traffic, ensuring that critical infrastructure remains deployable even when primary services are offline.
