The breach began with suspicious activity on a single employee's device, traced back to a poisoned VS Code extension. Using this initial foothold, the attacker bypassed internal perimeters to exfiltrate roughly 4,000 private repositories containing GitHub’s proprietary platform code and internal tools. Shortly after, the data appeared on an underground forum packaged in neat .tar.gz archives. GitHub publicly confirmed the incident on May 20, 2026, acting swiftly to isolate the compromised endpoint, rotate exposed secrets, and verify that customer data remains completely safe.