GitHub Internal Repositories Breached via Poisoned VS Code Extension — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated May 23, 2026

Severity: CRITICAL | View Full Scam Details

Beware in 2026: GitHub Internal Repositories Breached via Poisoned VS Code Extension — A Critical Phishing Scam in India

A new, high-risk scam targets Indian tech professionals by compromising GitHub’s internal repositories through a malicious Visual Studio Code extension, putting corporate and personal data at severe risk.

What Is the GitHub Internal Repositories Breached via Poisoned VS Code Extension?

This scam involves attackers breaching GitHub’s internal code repositories by poisoning a popular software development tool — the Visual Studio Code (VS Code) extension. The malicious extension, disguised as the legitimate Nx Console, is crafted to infiltrate trusted development environments. Cybercriminals named 'TeamPCP' remotely convinced employees at organizations that use GitHub and VS Code to install this infected extension.

India's thriving IT sector, with its large pool of software developers working for multinational and domestic firms, is particularly vulnerable to such attacks. With many engineers dependent on VS Code for daily programming tasks, this scam exploits the trust in official development tools. Though still emerging in India, CERT-In (Indian Computer Emergency Response Team) has noted such supply chain attacks as rising threats in its alerts over the past years.

The Reserve Bank of India (RBI) and the Indian government’s Integrated Cybercrime Coordination Centre (I4C) have recognized that software supply chain compromises could lead to downstream financial frauds and data leaks, especially if corporate secrets and user credentials are stolen.

How This Scam Works — Step by Step

1. Target Identification: The attackers first research employees at tech companies in India through LinkedIn or other professional networks. They carefully impersonate colleagues or HR recruiters, making their approach seem credible.

2. Social Engineering Contact: The victim receives a message or email offering a new role, project involvement, or collaboration request — all designed to pique interest and lower suspicion. This may come via WhatsApp or professional email.

3. Malicious Extension Offer: The attacker suggests the victim install or update the Nx Console VS Code extension, claiming it’s essential for the new task or project.

4. Installation of Poisoned Extension: Believing the request is genuine, the victim downloads and installs the compromised extension. The extension contains hidden code that silently exfiltrates GitHub credentials, API keys, or sensitive code snippets from the victim’s device.

5. Repository Breach: Using stolen credentials, the attackers gain access to GitHub internal repositories, extracting valuable corporate information, proprietary code, or security tokens.

6. Further Exploitation: Criminals could sell stolen code or use it for ransomware attacks, identity theft, or to infiltrate banking apps linked to the compromised software lifecycle.

Real Warning Signs to Watch For

• Unexpected messages from supposed colleagues or recruiters over LinkedIn, WhatsApp, or email with urgent project requests.
• Requests to install or update unusual software extensions, especially from unverified sources.
• Communication that urges secrecy or asks not to consult other team members.
• Lack of official company email domains in the sender’s address.
• Grammar or spelling mistakes in professional messages.
• Sudden changes in tone or manner from known contacts.
• Links or download prompts that do not lead to official app marketplaces or repositories.

What Happens to Victims

Victims face not only the loss of sensitive corporate data but also indirect financial losses if their credentials are used to compromise banking or payment platforms like UPI. For example, attackers could use stolen credentials to access confidential projects tied to fintech startups or banks, leading to fraud or blackmail.

Moreover, the emotional toll is heavy — victims suffer trust issues, job insecurity, and possible reputational damage if their accounts are linked to the breach. Aadhaar information stored in developer accounts could also be misused for identity theft, SIM swap fraud, or unauthorized financial transactions.

Reversing such damage is often complex since UPI or bank transactions made through compromised systems may not be eligible for RBI’s reimbursement in certain contexts.

What RBI and CERT-In Say

While there is no specific RBI advisory on this exact scam, the RBI has frequently warned about cybersecurity threats affecting the financial ecosystem and stresses due diligence when installing software linked to banking or UPI systems. CERT-In’s guidelines explicitly advise vigilance over supply chain attacks and recommend using only verified software extensions.

The Indian government’s 1930 cybercrime helpline is available for assistance, alongside reporting cyber incidents at cybercrime.gov.in. The Integrated Cybercrime Coordination Centre (I4C) monitors such evolving threats and collaborates with industry to reduce risks.

How to Protect Yourself

1. Verify Every Request: Confirm any message requesting software installation or access with official company channels, ideally in person or via company email.
2. Use Official Extension Stores: Download VS Code extensions only from the official Visual Studio Marketplace.
3. Enable Multi-Factor Authentication (MFA): Use MFA for all GitHub and corporate accounts.
4. Regularly Update Software: Keep operating systems, IDEs, and tools updated to patch vulnerabilities.
5. Monitor Account Activity: Regularly check GitHub access logs and payment accounts for suspicious activity.
6. Educate Yourself and Teams: Stay informed on social engineering tactics and share advisories within your organization.
7. Avoid Clicking Unknown Links: Be wary of unsolicited links, even if sent by known contacts.

What to Do If You’ve Been Targeted

• Immediately uninstall any suspicious VS Code extensions.
• Report the incident to your company’s IT or security team.
• Change all affected passwords and enable MFA.
• Contact your bank or UPI provider to flag suspicious transactions.
• File a complaint on cybercrime.gov.in and call the 1930 cybercrime helpline.
• Inform CERT-In about the breach and provide as much detail as possible for tracking.
• Freeze your Aadhaar-linked SIM if you suspect identity theft or SIM swap fraud.

Frequently Asked Questions

Q: Can this scam lead to direct financial loss in my bank account?
Yes, if attackers steal credentials linked to banking applications or UPI services, they can initiate fraudulent transactions which may result in direct monetary loss.

Q: How can I check if my VS Code extensions are safe?
Only install extensions from the official Visual Studio Marketplace, verify developer credentials, and check user reviews. If unsure, consult your company’s IT security.

Q: What should I do if I receive a suspicious job or project offer message?
Do not respond or click any links. Confirm the legitimacy through official company channels and report the message to your HR or security team immediately.

If you receive any suspicious messages or have doubts about the authenticity of requests related to software or credentials, always verify first at BharatSecure.app — your trusted partner in fighting digital fraud. Stay safe, stay informed!