The Extension Blind Spot: How One VS Code Plugin Gave Attackers GitHub’s Source Code

On May 19, 2026 TeamPCP compromised a GitHub employee via a malicious VS Code extension, exfiltrating 3,800 internal repositories; the report frames this as one event in a rapid campaign targeting developer tooling and IDE extensions, documents prior related compromises, and recommends controls such as allowed-extension policies, extension inventories, credential isolation, and developer workstation monitoring.