@github A malicious VS Code extension compromised a GitHub employee device.
These extensions run with full access, they can read cloned internal repos and quietly exfiltrate code.
Tip: before installing, verify publisher, read recent reviews, and review permissions.
@github Malicious VS Code extension compromised a GitHub employee device.
These extensions run with full access, they can read cloned internal repos and quietly exfiltrate code.
Tip: before installing, verify publisher, read recent reviews, and review permissions.
@grafana Not a GitHub bug.
They used a risky pull_request_target workflow that ran with high privileges. A malicious PR exploited it to steal a token and download private code (classic "Pwn Request").
Fix: Avoid unsafe pull_request_target, never run untrusted code, Audit your CI/CD!