GitHub has since detected and contained a compromise of an employee device involving a poisoned VS Code extension.

GitHub has removed the malicious extension version, isolated the endpoint, and began incident response immediately, according to their claims.

Their current assessment is that the activity involved exfiltration of GitHub-internal repositories only. The attacker’s current claims of ~3,800 repositories are directionally consistent with their investigation so far. They have moved quickly to reduce risk. Critical secrets were rotated yesterday and overnight with the highest-impact credentials prioritized first.

GitHub continues to analyze logs, validate secret rotation, and monitor for any follow-on activity. They have said that they will take additional action as the investigation warrants. They will publish a fuller report once the investigation is complete.

Source: GitHub