{"id":16453,"date":"2026-06-01T10:48:06","date_gmt":"2026-06-01T17:48:06","guid":{"rendered":"https:\/\/mattfife.com\/?p=16453"},"modified":"2026-05-30T10:50:59","modified_gmt":"2026-05-30T17:50:59","slug":"hackers-increasingly-using-vs-code-extensions","status":"publish","type":"post","link":"https:\/\/mattfife.com\/?p=16453","title":{"rendered":"Hackers increasingly using VS Code extensions"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">The TeamPCP hacker group on the Breached cybercrime forum <a href=\"https:\/\/www.tomshardware.com\/tech-industry\/cyber-security\/hacker-group-hits-3-800-internal-github-repositories-via-poisoned-developer-plugin-teampcp-claims-source-code-theft-and-attempts-usd50-000-sale-employee-installed-malicious-vs-code-extension\" data-type=\"link\" data-id=\"https:\/\/www.tomshardware.com\/tech-industry\/cyber-security\/hacker-group-hits-3-800-internal-github-repositories-via-poisoned-developer-plugin-teampcp-claims-source-code-theft-and-attempts-usd50-000-sale-employee-installed-malicious-vs-code-extension\">claimed it had gained access to nearly 4,000 private GitHub repositories<\/a> via the breach. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">GitHub has officially confirmed, via an\u00a0<a href=\"https:\/\/x.com\/github\/status\/2056949169701720157\" target=\"_blank\" rel=\"noreferrer noopener\">X post<\/a>\u00a0today, that thousands of its internal repositories were breached after an employee&#8217;s device was compromised through a malicious Visual Studio Code extension.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The group alleged that it had exfiltrated internal source code and other private data, and stated that it was seeking at least $50,000 from potential buyers for the stolen material. \u201cThis is not a ransom,\u201d the group wrote in its post, adding that it intended to sell the data rather than extort GitHub directly, and threatening to leak the repositories publicly if no buyer emerged.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">TeamPCP has previously been linked to several high-profile campaigns involving platforms such as GitHub, PyPI, npm, and Docker. At the same time,&nbsp;<a href=\"https:\/\/www.tomshardware.com\/tech-industry\/cyber-security\/hacker-injects-malicious-potentially-disk-wiping-prompt-into-amazons-ai-coding-assistant-with-a-simple-pull-request-told-your-goal-is-to-clean-a-system-to-a-near-factory-state-and-delete-file-system-and-cloud-resources\" target=\"_blank\" rel=\"noreferrer noopener\">malicious VS Code extensions<\/a>&nbsp;have repeatedly surfaced in recent years as an increasingly effective vector for breaches and malware delivery.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The TeamPCP hacker group on the Breached cybercrime forum claimed it had gained access to nearly 4,000 private GitHub repositories via the breach. GitHub has officially confirmed, via an\u00a0X post\u00a0today, that thousands of its internal repositories were breached after an employee&#8217;s device was compromised through a malicious Visual Studio Code extension. The group alleged that it had exfiltrated internal source code and other private data, and stated that it was seeking at least $50,000 from potential buyers for the stolen&#8230;<\/p>\n<p class=\"read-more\"><a class=\"btn btn-default\" href=\"https:\/\/mattfife.com\/?p=16453\"> Read More<span class=\"screen-reader-text\">  Read More<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[9,5],"tags":[],"class_list":["post-16453","post","type-post","status-publish","format-standard","hentry","category-cool","category-technical"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p4WECr-4hn","jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/mattfife.com\/index.php?rest_route=\/wp\/v2\/posts\/16453","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mattfife.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mattfife.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mattfife.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/mattfife.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16453"}],"version-history":[{"count":2,"href":"https:\/\/mattfife.com\/index.php?rest_route=\/wp\/v2\/posts\/16453\/revisions"}],"predecessor-version":[{"id":16455,"href":"https:\/\/mattfife.com\/index.php?rest_route=\/wp\/v2\/posts\/16453\/revisions\/16455"}],"wp:attachment":[{"href":"https:\/\/mattfife.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16453"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mattfife.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16453"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mattfife.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16453"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}