People, GitHub has been hacked and you

will never believe how they WERE HACKED.

OH.

>> [laughter]

>> OH MY GOSH. ALSO, I CAN'T believe that

the hackers were able to, you know, hack

GitHub. I can't believe GitHub was up

long enough for them to even be able to

accomplish that. Like that's kind of

crazy. All right, everybody. This is

just a developing situation, so this

video will have some level of incomplete

information, but nonetheless this hack

is nuts. What's going on is actually

nuts. I did

I don't think I've ever laughed so hard

in my entire lifetime than actually

going through this thing. So, we're

going to walk through We're going to

walk through the timeline. We're going

to learn all the details and what

actually caused the hack. And trust me,

it is cinema. Absolute cinema. But of

course, before we begin the bag. Here at

Terminal, we love PlanetScale. We've

been using PlanetScale since day one of

terminal. shop and had an amazing

experience. So, if you want a database

you don't have to worry about, choose

PlanetScale. Now,

back to the video.

Okay, so let's go over the timeline,

what has happened, and

what led to this disaster and really

what is the disaster. So, first off,

this tweet was sent on May 19th, 2026.

We are investigating unauthorized access

to GitHub's internal repositories. While

we currently have no evidence of impact

to customer information stored out side

of GitHub's internal repositories, such

as our customers enterprise organization

or repositories, we are closely

monitoring our infrastructure for

follow-up activity. So, this tweet was

sent out. Obviously, nobody has any idea

what the actual impact is. They're

saying, "Hey, we've been hacked, but

don't worry, you haven't been hacked."

Honestly, feels pretty unbelievable.

Personally, I'm going to be going

through and probably rolling a lot of my

credentials because Shai Hulud has been

getting everybody, but this is not Shai

Hulud. Then, about 24 hours later, not

even, we see this beautiful little post

right here from Team PCP. Please, PCP,

please don't Please don't hack me. I'm

just Please, I'm not worth it. Just

trust me. So, PCP writes the following:

"Hello again, breached. Hope everyone is

doing well. We are" By the way, crazy

way to start off a message. Just like,

"Hey, everybody. How are you guys doing?

You know, honestly, weather can you

complain about today? No, you can't."

"Also, hacked the universe. Exciting,

no?" Just so good. All right. "We are

here today to advertise GitHub source

code and internal orgs for sale." Like,

they're out there selling this stuff.

"No lowball offers will be accepted.

Everything for the main platform is

there, and I am very happy to send

samples to interested buyers to verify

the absolute authenticity. There's

around 4,000 repos of private code

here." Then, gives out some sort of list

of repos. "Please, read these carefully

to understand what the breach entails.

As always, this is not a ransom. We do

not care about extorting GitHub. One

buyer, and we shred the data on our end.

It looks like our retirement is soon, so

if no buyer is found, we will leak it

for free." So, this is the not ransom

letter. They're just out there like,

"Hey, sell it. Someone buy it if you

want to be the ones that own GitHub's

internal code so you can do whatever

hacking you want to do, or we'll just

release it for everybody to look at."

Which, by the way, this would be

extremely damaging. It's one thing to

attempt to hack a server, you have to

kind of discover and go through things.

Being able to have the complete source

code obviously opens up the entire

ecosystem to significantly more surface

area for attacking. Quite the adventure

that could be going on for GitHub here

in the coming days, coming months.

GitHub has been just absolutely

struggling on all fronts. It is crazy to

watch this company in real time. Like,

we can all sit down and agree that for

the last, like, 8 months, no one's been

happy about GitHub. Their uptime is

absolutely [clears throat]

abysmal. I know this status bar is

technically incorrect because it takes

every form of downtime as actual

downtime, but if you do put them all

together, it is currently at 86.68%,

which again, that doesn't mean you're

experiencing that, but that is just

nuts. 81 incidences in 90 days.

I mean, it's a just a daily diary at

this point. Okay, but then 2019 later

on, they come out and they give all the

details. 6.8 million views. That is just

those are crazy numbers. One, we are

sharing additional details regarding our

investigation into unauthorized access

to GitHub's internal repository.

Yesterday, we detected and contained a

compromise of an employee device

involving a poisoned VS Code extension.

That's cinema. Oh my goodness, I can't

even believe this. By the way, in this

day and age, I am shook. I am shook. I

cannot even remotely fathom the case why

anybody would use VS Code at this point.

I know that's crazy coming from me.

Obviously, A, I you can see right here.

I'm kind of a Neovim boy. Okay, like a

little bit of try code come from me. But

nonetheless, this whole idea of using VS

Code just feels crazy, and there's

several reasons for this. One of the

most insane parts of VS Code is that you

get all these extensions. All these

extensions use NPM. They all bundle all

these things together. NPM has been a

non-stop

continuous vector for like the last year

of just breach after breach. You

installing NPM just greatly increases

your chances of getting owned. You

running anything from NPM greatly

increases the chances of you getting

owned. And so, you have an editor. Now,

here's the the craziest part about VS

Code. When you use VS Code,

>> [laughter]

>> you open up every project that

effectively contains a dot env file

either for your company or for you

personally. So, not only are you opening

up exactly where all the sensitive

information is, you are actually

updating and running potentially

insecure code continuously on those

projects. And the things that make it

even more wild is VS code a lot of a lot

of these large projects, a lot of these

large extensions, they all come with

auto updating. Auto updating is how you

get owned. Like that is precisely the

big problem right now is people keep

auto updating npm and just just getting

owned immediately. Like this has

happened repetitively over and over

again. Hundreds if not thousands of

packages and you have a thing on your

computer in which is just automating

that whole process. VS code, it's not

like extensions are somehow Microsoft

endorsed pieces of code. Anybody can

make an extension. It's a marketplace.

You don't even have any way to audit

what's actually happening in that

marketplace without actually going to

where it is and reviewing the code

yourself. And then even worse, the

release doesn't have to match what's in

the code base. I know it's not 2023

anymore. Editor wars don't exist

anymore, okay? So, I'm kind of like

Brothers, this is like my civil war. I'm

reliving it, okay? I miss the days of

arguing over editors and languages

instead of today where we're always

arguing over models. Like that's like

90% of developer discourse is like,

"Actually, this agent harnesses the

best. My shaman is the actually the best

way to do that. I have the secret most

secret unknown way to use agents and

what I do is the most magical and I can

sell you a course." Whereas back in my

day, we used to argue By the way, back

in my day was just 2 years ago. We used

to just argue about languages and

editors. And if you didn't use Neovim,

you're a chump. Like, "Oh man, those are

good days. I miss them." And so, this is

me reliving it right now. Oh, oh I I

believe I get to do this just just one

more time. This is my last time, okay?

This is my swan song. This is my last

one. I love it. We removed the malicious

extension and version. By the way,

version, notice version. That means

again, this was a supply chain attack.

Isolated the endpoint and began the

incident response immediately. Our

current assessment is that the activity

involved exfiltration of GitHub's

internal repositories only. The

attackers current claims of 3,800

repositories are directionally

consistent with our investigation so

far. Meaning,

this is likely legitimate. What you're

seeing here, this could actually just be

happening right now. They're just They

literally stole it. They might make some

extra money, but they're just in it for

the love of the game at this point.

They're just going to release it for

free. Completely

incredible behavior. Now, this is kind

of like my own personal take here.

Uh if all the internal stuff is is

actually taken, I would be uh

personally, I am more wary than ever

using GitHub as a means to store

anything private cuz I'm not going to

lie to you. I have a couple private

repositories that contain some

environment secrets to make it easy to

share. I also store I've used GitHub

secrets. Like, I don't know if GitHub

secrets can also be compromised. Like, I

have no idea. This whole thing

really makes me lose a lot of confidence

in GitHub. Like, I was already not very

happy just to begin with, but this whole

my goodness. I am not stoked, shall we

say? So, now let's actually get to what

caused the hack itself, the poisoned VS

Code extension. Savant chat, you're a

hero in my book. Poisoned VS Code

extension is a polite way of saying a

senior dev installed a random syntax

highlighter with 14 downloads because it

looked aesthetic. To be fair, it

actually wasn't a random syntax

highlighter or rainbow squirlies or some

sort of nine cat agent waiting till it's

finished meowing experience. No, no, no,

no, no, no, no. It actually was this

right here. NX console. Uh turns out

supply chain attack. This happened about

3 days ago. There's an article right now

going over saying, "Yes, due to auto

update on by default, VS Code, all the

VS Code flavors, they're all susceptible

to this problem and this is what

actually had GitHub, and including the

CEO of NX DevTools right here, saying,

"Hey, guess what? Yep, this did happen.

This was us.

We got supply chain attacked and this

led to GitHub effectively being had. So,

obviously a couple big takeaways. Number

one, again, I would worry, you know, I

would be I would find a way to turn off

auto auto updates. I would be a bit more

wary of the extensions you use. So,

what's the big takeaway? Well, I mean,

it's pretty obvious what the big

takeaway is. It's you should have used

Come on. AM I THAT PREDICTABLE? THIS WAS

SAID OH MY GOSH, THIS WAS SAID BEFORE

I'M EVEN recording this. This person

already knew. Tego, you already knew I

was going to say this. The real answer

here should have used Vim. Okay, hey,

the real ones. It does It does actually

hurt a little bit to be this

predictable. Like

I can't I just cannot believe I am that

predictable that someone could see

around corners and send off a tweet and

it's like word for word what I said. The

name

is the Primagen.