Ethical Hacking News
GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension
A recent breach of GitHub's internal repositories was discovered after an employee's device was compromised by a poisoned version of the Nx Console Microsoft Visual Studio Code (VS Code) extension. The attackers exploited auto-update on Visual Studio Marketplace to distribute a trojanized version of the extension, which granted them access to sensitive data from developer systems that may have installed the extension.
Github suffered a breach of its internal repositories after an employee's device was compromised by a poisoned version of the Nx Console Microsoft Visual Studio Code (VS Code) extension. The attack resulted in the exfiltration of approximately 3,800 repositories and exploited auto-update features on popular extensions. The attackers used a trojanized version of the Nx Console extension to download and execute a hidden package that granted them access to sensitive data from developer systems. The breach highlights the need for deeper changes in securing developer tooling and open-source distribution, as well as regular updates and security patches on widely-used extensions.
GitHub has recently suffered a breach of its internal repositories, which was discovered after an employee's device was compromised by a poisoned version of the Nx Console Microsoft Visual Studio Code (VS Code) extension. This attack is attributed to TeamPCP, a group known for large-scale software supply chain attacks on widely-used open-source projects and security-adjacent tools.
According to GitHub, the breach resulted in the exfiltration of approximately 3,800 repositories. The attackers exploited the fact that the Nx Console extension was available for auto-update on Visual Studio Marketplace by default, which allowed them to distribute a trojanized version of the extension that downloaded and executed a hidden package from a planted commit on the official nrwl/nx GitHub repository.
The malicious code disguised itself as a routine MCP setup task to avoid raising suspicion. Once installed, it silently ran a single shell command that downloaded and executed the hidden package, granting the attackers access to sensitive data from developer systems that may have installed the extension, including 1Password vaults, Anthropic Claude Code configurations, npm, GitHub, and Amazon Web Services (AWS).
The attack highlights the need for deeper, more fundamental changes in how we secure developer tooling and open-source distribution. It also underscores the importance of regular updates and security patches on widely-used extensions.
Aikido security researcher Raphael Silva noted that every popular extension marketplace ships with auto-update by default, which can be beneficial but also poses a significant risk if left unchecked. "The trade-off stops making sense once you account for hostile/compromised publishers," he said. "Auto-update gives an attacker who controls a release a direct push channel into every machine running that extension."
Jeff Cross, co-founder of Narwhal Technologies, the company behind nx.dev, emphasized the need for greater collaboration among open-source maintainers to address structural problems around software supply chain security. "This incident highlights that there need to be deeper, more fundamental changes to how we and other maintainers need to think about securing developer tooling and open-source distribution," he said.
Nir Zadok, an OX Security researcher, provided additional insight into the attack. He explained that the malicious code was designed to mimic a legitimate setup task, but it actually downloaded and executed a hidden package from a planted commit on the official nrwl/nx GitHub repository. "The command was disguised as a routine MCP setup task so it would not raise suspicion," he said.
GitHub has taken steps to contain the incident and rotate critical secrets. The company is continuing to monitor the situation for follow-on activity.
In conclusion, this breach highlights the need for greater vigilance in securing developer tooling and open-source distribution. It also underscores the importance of regular updates and security patches on widely-used extensions.
Related Information:
https://www.ethicalhackingnews.com/articles/Github-Internal-Repositories-Breached-via-Malicious-Nx-Console-VS-Code-Extension-ehn.shtml
https://thehackernews.com/2026/05/github-internal-repositories-breached.html
Published: Thu May 21 00:39:23 2026 by llama3.2 3B Q4_K_M
