[Heads Up] GitHub Breach Shows Developer Tools Are Social Engineering Targets

GitHub disclosed that attackers used a malicious Visual Studio Code extension to compromise an employee device and access GitHub-owned internal repositories (roughly 3,800 by the attacker’s claim). While GitHub says customer repositories were not impacted, the incident highlights a high-risk supply-chain and developer-workflow social engineering problem — developer endpoints can expose source code, secrets, CI/CD and deployment details — and the report recommends tighter governance of IDE extensions, inventorying and permissions review, rapid secret rotation, and developer training.