Github’s Wildest Hack Yet

People, GitHub has been hacked and you will never believe how they WERE HACKED. OH. [laughter] OH MY GOSH. ALSO, I CAN'T believe that the hackers were able to, you know, hack GitHub. I can't believe GitHub was up long enough for them to even be able to accomplish that. Like that's kind of crazy. All right, everybody. This is just a developing situation, so this video will have some level of incomplete information, but nonetheless this hack is nuts. What's going on is actually nuts. I did I don't think I've ever laughed so hard in my entire lifetime than actually going through this thing. So, we're going to walk through We're going to walk through the timeline. We're going to learn all the details and what actually caused the hack. And trust me, it is cinema. Absolute cinema. But of course, before we begin the bag. Here at Terminal, we love PlanetScale. We've been using PlanetScale since day one of terminal. shop and had an amazing experience. So, if you want a database you don't have to worry about, choose PlanetScale. Now, back to the video. Okay, so let's go over the timeline, what has happened, and what led to this disaster and really what is the disaster. So, first off, this tweet was sent on May 19th, 2026. We are investigating unauthorized access to GitHub's internal repositories. While we currently have no evidence of impact to customer information stored out side of GitHub's internal repositories, such as our customers enterprise organization or repositories, we are closely monitoring our infrastructure for follow-up activity. So, this tweet was sent out. Obviously, nobody has any idea what the actual impact is. They're saying, "Hey, we've been hacked, but don't worry, you haven't been hacked." Honestly, feels pretty unbelievable. Personally, I'm going to be going through and probably rolling a lot of my credentials because Shai Hulud has been getting everybody, but this is not Shai Hulud. Then, about 24 hours later, not even, we see this beautiful little post right here from Team PCP. Please, PCP, please don't Please don't hack me. I'm just Please, I'm not worth it. Just trust me. So, PCP writes the following: "Hello again, breached. Hope everyone is doing well. We are" By the way, crazy way to start off a message. Just like, "Hey, everybody. How are you guys doing? You know, honestly, weather can you complain about today? No, you can't." "Also, hacked the universe. Exciting, no?" Just so good. All right. "We are here today to advertise GitHub source code and internal orgs for sale." Like, they're out there selling this stuff. "No lowball offers will be accepted. Everything for the main platform is there, and I am very happy to send samples to interested buyers to verify the absolute authenticity. There's around 4,000 repos of private code here." Then, gives out some sort of list of repos. "Please, read these carefully to understand what the breach entails. As always, this is not a ransom. We do not care about extorting GitHub. One buyer, and we shred the data on our end. It looks like our retirement is soon, so if no buyer is found, we will leak it for free." So, this is the not ransom letter. They're just out there like, "Hey, sell it. Someone buy it if you want to be the ones that own GitHub's internal code so you can do whatever hacking you want to do, or we'll just release it for everybody to look at." Which, by the way, this would be extremely damaging. It's one thing to attempt to hack a server, you have to kind of discover and go through things. Being able to have the complete source code obviously opens up the entire ecosystem to significantly more surface area for attacking. Quite the adventure that could be going on for GitHub here in the coming days, coming months. GitHub has been just absolutely struggling on all fronts. It is crazy to watch this company in real time. Like, we can all sit down and agree that for the last, like, 8 months, no one's been happy about GitHub. Their uptime is absolutely [clears throat] abysmal. I know this status bar is technically incorrect because it takes every form of downtime as actual downtime, but if you do put them all together, it is currently at 86.68%, which again, that doesn't mean you're experiencing that, but that is just nuts. 81 incidences in 90 days. I mean, it's a just a daily diary at this point. Okay, but then 2019 later on, they come out and they give all the details. 6.8 million views. That is just those are crazy numbers. One, we are sharing additional details regarding our investigation into unauthorized access to GitHub's internal repository. Yesterday, we detected and contained a compromise of an employee device involving a poisoned VS Code extension. That's cinema. Oh my goodness, I can't even believe this. By the way, in this day and age, I am shook. I am shook. I cannot even remotely fathom the case why anybody would use VS Code at this point. I know that's crazy coming from me. Obviously, A, I you can see right here. I'm kind of a Neovim boy. Okay, like a little bit of try code come from me. But nonetheless, this whole idea of using VS Code just feels crazy, and there's several reasons for this. One of the most insane parts of VS Code is that you get all these extensions. All these extensions use NPM. They all bundle all these things together. NPM has been a non-stop continuous vector for like the last year of just breach after breach. You installing NPM just greatly increases your chances of getting owned. You running anything from NPM greatly increases the chances of you getting owned. And so, you have an editor. Now, here's the the craziest part about VS Code. When you use VS Code, you open up every project that effectively contains a dot env file either for your company or for you personally. So, not only are you opening up exactly where all the sensitive information is, you are actually updating and running potentially insecure code continuously on those projects. And the things that make it even more wild is VS code a lot of a lot of these large projects, a lot of these large extensions, they all come with auto updating. Auto updating is how you get owned. Like that is precisely the big problem right now is people keep auto updating npm and just just getting owned immediately. Like this has happened repetitively over and over again. Hundreds if not thousands of packages and you have a thing on your computer in which is just automating that whole process. VS code, it's not like extensions are somehow Microsoft endorsed pieces of code. Anybody can make an extension. It's a marketplace. You don't even have any way to audit what's actually happening in that marketplace without actually going to where it is and reviewing the code yourself. And then even worse, the release doesn't have to match what's in the code base. I know it's not 2023 anymore. Editor wars don't exist anymore, okay? So, I'm kind of like Brothers, this is like my civil war. I'm reliving it, okay? I miss the days of arguing over editors and languages instead of today where we're always arguing over models. Like that's like 90% of developer discourse is like, "Actually, this agent harnesses the best. My shaman is the actually the best way to do that. I have the secret most secret unknown way to use agents and what I do is the most magical and I can sell you a course." Whereas back in my day, we used to argue By the way, back in my day was just 2 years ago. We used to just argue about languages and editors. And if you didn't use Neovim, you're a chump. Like, "Oh man, those are good days. I miss them." And so, this is me reliving it right now. Oh, oh I I believe I get to do this just just one more time. This is my last time, okay? This is my swan song. This is my last one. I love it. We removed the malicious extension and version. By the way, version, notice version. That means again, this was a supply chain attack. Isolated the endpoint and began the incident response immediately. Our current assessment is that the activity involved exfiltration of GitHub's internal repositories only. The attackers current claims of 3,800 repositories are directionally consistent with our investigation so far. Meaning, this is likely legitimate. What you're seeing here, this could actually just be happening right now. They're just They literally stole it. They might make some extra money, but they're just in it for the love of the game at this point. They're just going to release it for free. Completely incredible behavior. Now, this is kind of like my own personal take here. Uh if all the internal stuff is is actually taken, I would be uh personally, I am more wary than ever using GitHub as a means to store anything private cuz I'm not going to lie to you. I have a couple private repositories that contain some environment secrets to make it easy to share. I also store I've used GitHub secrets. Like, I don't know if GitHub secrets can also be compromised. Like, I have no idea. This whole thing really makes me lose a lot of confidence in GitHub. Like, I was already not very happy just to begin with, but this whole my goodness. I am not stoked, shall we say? So, now let's actually get to what caused the hack itself, the poisoned VS Code extension. Savant chat, you're a hero in my book. Poisoned VS Code extension is a polite way of saying a senior dev installed a random syntax highlighter with 14 downloads because it looked aesthetic. To be fair, it actually wasn't a random syntax highlighter or rainbow squirlies or some sort of nine cat agent waiting till it's finished meowing experience. No, no, no, no, no, no, no. It actually was this right here. NX console. Uh turns out supply chain attack. This happened about 3 days ago. There's an article right now going over saying, "Yes, due to auto update on by default, VS Code, all the VS Code flavors, they're all susceptible to this problem and this is what actually had GitHub, and including the CEO of NX DevTools right here, saying, "Hey, guess what? Yep, this did happen. This was us. We got supply chain attacked and this led to GitHub effectively being had. So, obviously a couple big takeaways. Number one, again, I would worry, you know, I would be I would find a way to turn off auto auto updates. I would be a bit more wary of the extensions you use. So, what's the big takeaway? Well, I mean, it's pretty obvious what the big takeaway is. It's you should have used Come on. AM I THAT PREDICTABLE? THIS WAS SAID OH MY GOSH, THIS WAS SAID BEFORE I'M EVEN recording this. This person already knew. Tego, you already knew I was going to say this. The real answer here should have used Vim. Okay, hey, the real ones. It does It does actually hurt a little bit to be this predictable. Like I can't I just cannot believe I am that predictable that someone could see around corners and send off a tweet and it's like word for word what I said. The name is the Primagen.