GitHub’s Internal Repositories Compromised Through Malicious VS Code Extension
GitHub has confirmed a significant security breach involving its internal repositories, traced back to a compromised employee device infected via a malicious version of the Nx Console extension for Visual Studio Code (VS Code). This incident is part of a broader supply chain attack orchestrated by the cybercriminal group known as TeamPCP, which has also targeted organizations like OpenAI, Mistral AI, and Grafana Labs.
Details of the Breach
The breach was identified when GitHub detected unauthorized access to its internal repositories. Investigations revealed that the source of the intrusion was a poisoned version of the Nx Console extension, specifically the ‘nrwl.angular-console’ package. This extension was compromised after one of its developers’ systems was infiltrated, following the recent TanStack supply chain attack.
Alexis Wales, GitHub’s Chief Information Security Officer, stated, We have no evidence of impact to customer information stored outside of GitHub’s internal repositories, such as our customer’s own enterprises, organizations, and repositories. However, she acknowledged that some internal repositories contain customer information, such as excerpts from support interactions. GitHub has committed to notifying affected customers through established incident response and notification channels if any impact is discovered.
Extent of the Attack
The attack enabled TeamPCP to exfiltrate approximately 3,800 repositories. In response, GitHub has taken measures to contain the incident, including rotating critical secrets and enhancing monitoring to detect any follow-on activity.
Jeff Cross, co-founder of Narwhal Technologies, the company behind nx.dev, emphasized the need for fundamental changes in securing developer tools and open-source distribution. He stated, This incident highlights that there need to be deeper, more fundamental changes to how we and other maintainers need to think about securing developer tooling and open source distribution.
The Malicious Extension’s Mechanism
The trojanized version of the VS Code extension was available on the Visual Studio Marketplace for a brief period of eighteen minutes on May 18, 2026. Despite this short window, the attackers managed to distribute a credential stealer capable of harvesting sensitive data from various sources, including 1Password vaults, Anthropic Claude Code configurations, npm, GitHub, and Amazon Web Services (AWS).
OX Security researcher Nir Zadok explained that the extension appeared and functioned like the legitimate Nx Console but executed a hidden shell command upon startup. This command downloaded and executed a concealed package from a planted commit on the official nrwl/nx GitHub repository, disguised as a routine MCP setup task to avoid suspicion.
Broader Implications and Related Incidents
This incident underscores the vulnerabilities inherent in the modern software supply chain. TeamPCP has been actively exploiting these vulnerabilities by targeting widely-used open-source projects and developer tools. Their strategy involves compromising one trusted tool, stealing credentials from developer systems that install it, and using those credentials to infiltrate subsequent tools.
In a related event, Grafana Labs reported a breach originating from the TanStack npm supply chain attack, which also affected OpenAI and Mistral AI. The attackers gained access to Grafana’s GitHub repositories, including both public and private source code, as well as internal operational information. Grafana has since taken steps to rotate automation tokens, implement enhanced monitoring, and audit all commits for signs of malicious activity.
Furthermore, OpenAI disclosed that two of its employee devices were impacted by the TanStack supply chain attack. While no user data, production systems, or intellectual property were compromised, the incident highlights the pervasive nature of these attacks and the importance of robust security measures.
Recommendations for Developers and Organizations
In light of these incidents, developers and organizations are advised to exercise caution when installing and updating extensions and packages. Security researcher Raphael Silva noted that many extension marketplaces enable auto-update by default, which, while convenient, can be exploited by attackers to push malicious updates directly to users. He emphasized the need for review gates or waiting periods between when an update is published and when installed clients pull it in.
To mitigate risks, it’s recommended to:
– Review and Audit Extensions: Regularly inspect and verify the integrity of extensions and packages before installation.
– Disable Auto-Updates: Consider disabling automatic updates for extensions and manually reviewing updates before applying them.
– Implement Monitoring: Establish monitoring mechanisms to detect unauthorized access or unusual activity within repositories and development environments.
– Rotate Credentials: Regularly rotate access tokens, credentials, and secrets to minimize the impact of potential compromises.
By adopting these practices, developers and organizations can enhance their security posture and reduce the risk of falling victim to supply chain attacks.
