What should I do if I've installed a malicious extension?

Immediately uninstall the extension and change all relevant passwords. Report to 1930 for further assistance.

How can I recognize if I’ve fallen victim to a scam like this?

Watch for unusual login alerts or unauthorized access on your online accounts, especially sensitive ones.

Where can I report this type of cybercrime in India?

You can report at the cybercrime helpline 1930 or file a report at cybercrime.gov.in.

Is it possible to recover lost money after such a breach?

Contact your bank immediately to report unauthorized transactions and follow their fraud reporting guidelines for recovery options.

GitHub Internal Repositories Breached via Poisoned VS Code Extension

INDIA — By BharatSecure Threat Intelligence Team · Updated May 22, 2026

Verdict: Suspicious | Risk Score: 9/10 | Severity: critical

Category: phishing

How GitHub Internal Repositories Breached via Poisoned VS Code Extension Works

GitHub's internal repositories were compromised when an employee installed a malicious Nx Console VS Code extension. This poisoned extension deployed a credential stealer, allowing the 'TeamPCP' group to exfiltrate approximately 3,800 repositories in a short timeframe.

How This Scam Works — Detailed Explanation

The recent breach of GitHub's internal repositories via a poisoned VS Code extension is a stark reminder of the evolving tactics used by attackers. In this incident, the attackers, known as 'TeamPCP', targeted an unsuspecting employee using social engineering techniques to convince them to install the malicious Nx Console extension. This specific attack path highlights the vulnerabilities in software supply chains, where trusted platforms and applications can be exploited. Attackers often scout for employees in tech companies through platforms like LinkedIn, sometimes impersonating colleagues or offering roles that seem credible but ultimately lead to the installation of harmful software.

To lure victims, attackers typically employ psychological tricks that manipulate their trust and urgency. They might depict the malicious extension as a 'must-have' tool that enhances productivity or offers critical functionalities for developers. The lure is strengthened by the use of authentic branding, making the malicious extension appear legitimate and safe. In India, where developers widely use VS Code and GitHub, such orders are often intertwined with the complexities of remote work, leaving employees more susceptible to quick installations that may bypass standard security checks. As urgency builds, the employee fails to verify the extension's source, which leads to a cascading failure in security practices.

Once the malicious extension is installed, the credential stealer goes to work. This spyware captures sensitive data, including login credentials for GitHub and potentially other linked services. For victims in India, the consequences could parallel real-world examples where bank credentials are stolen through similar phishing attempts. For instance, hackers may later execute unauthorized transactions via UPI by using the stolen credentials, similar to other reported scams where individuals have lost substantial amounts—several lakhs or even crores—due to identity theft or unauthorized fraud. Imagine receiving a message from your bank, seemingly legitimate, only to realize hours later that a significant sum has been drained from your account. The ease with which credentials can be used to transfer money via platforms like UPI exacerbates the impact of such breaches.

The fallout from this breach reverberates through the Indian tech community, reinforcing fears about privacy and security when using integrated development environments and version control systems. According to the Cyber Crime Coordination Centre under the Ministry of Home Affairs, India reported losses amounting to ₹2,000 crore in the last fiscal year due to cyber frauds—including scams initiated through phishing and compromised accounts. As costs rise, businesses are urged to enhance their cybersecurity measures, often at the expense of the innovation that drives them.

Spotting this scam compared to legitimate communications requires vigilance. Any call to install software or legitimizing links sent via email or messaging platforms like WhatsApp should be carefully scrutinized. Real communications from GitHub or legitimate service providers will typically contain guidance on safety measures or involve multiple verification layers encouraging due diligence. Always compare the URL of download links with the official homepage and ensure you’re on secure connections using HTTPS. Such awareness is crucial, particularly in an age where scammers continually refine their tactics to appear indistinguishable from trusted sources.

Visual Intelligence:

BharatSecure's AI has identified this as a used in scams targeting Indian users.

Who Does GitHub Internal Repositories Breached via Poisoned VS Code Extension Target?

General public across India

Red Flags — How to Identify GitHub Internal Repositories Breached via Poisoned VS Code Extension

GitHub
VS Code extension
supply chain attack
credential stealer
repository breach
TeamPCP

What To Do If You Encounter GitHub Internal Repositories Breached via Poisoned VS Code Extension

Report any suspicious activity or signs of phishing to the cybercrime helpline at 1930 or visit cybercrime.gov.in.
Immediately change your passwords for GitHub and any other accounts potentially linked with your GitHub credentials.
Enable two-factor authentication on your GitHub and other critical accounts to add an extra layer of security.
Run antivirus and anti-malware software to ensure your system is free from any compromised files or extensions.
Notify your team or organization’s IT department about the potential breach for immediate response and mitigation.
Regularly monitor your account transactions and notify your bank if you notice any unauthorized activities.

How to Report GitHub Internal Repositories Breached via Poisoned VS Code Extension in India

Call 1930 — National Cyber Crime Helpline (24x7)
File a complaint at cybercrime.gov.in
Contact your bank immediately if money was lost
Call RBI helpline: 14440 for banking fraud

Frequently Asked Questions

What should I do if I've installed a malicious extension?: Immediately uninstall the extension and change all relevant passwords. Report to 1930 for further assistance.
How can I recognize if I’ve fallen victim to a scam like this?: Watch for unusual login alerts or unauthorized access on your online accounts, especially sensitive ones.
Where can I report this type of cybercrime in India?: You can report at the cybercrime helpline 1930 or file a report at cybercrime.gov.in.
Is it possible to recover lost money after such a breach?: Contact your bank immediately to report unauthorized transactions and follow their fraud reporting guidelines for recovery options.

Related Scams in India

Verify Any Suspicious Message

Check any suspicious message, link, or call for free at bharatsecure.app. BharatSecure uses AI to detect scams in real-time and protect Indian users.