Ethical Hacking News
A malicious version of the Nx Console VS Code extension was used to breach 3,800 internal repositories at GitHub, exposing sensitive data. The attack is attributed to the TeamPCP threat group and highlights the ongoing concerns about the security of developer code platforms.
Github was breached by hackers who exploited a malicious Nx Console VS Code extension. The breach exposed 3,800 internal repositories and is attributed to the TeamPCP threat group. The attack used a stolen Visual Studio Code (VS Code) extension that deployed malware to steal credentials and secrets. The incident highlights the vulnerability of GitHub's cloud-based platform and the need for developers to be vigilant about extensions they install. The breach is part of a larger trend of supply-chain attacks targeting developer code platforms, including PyPI, NPM, and Docker.
In a shocking turn of events, GitHub has revealed that it was breached by hackers who exploited a malicious version of the Nx Console VS Code extension, which was compromised in last week's TanStack npm supply-chain attack. The breach, which exposed 3,800 internal repositories, is attributed to the TeamPCP threat group and highlights the ongoing concerns about the security of developer code platforms.
According to GitHub CISO Alexis Wales, the breach resulted from an employee installing a malicious Visual Studio Code (VS Code) extension without disclosing the extension's name. The malicious extension, which was available on the Visual Studio Marketplace for approximately 18 minutes and on OpenVSX for another 36 minutes, deployed a payload designed to steal credentials and secrets for a wide range of platforms, including npm, AWS, Kubernetes, GitHub, and GCP/Docker.
The incident is particularly egregious given that it follows a recent supply-chain attack targeting TanStack and Mistral AI npm packages. The TeamPCP threat group was linked to other major supply chain attacks targeting developer code platforms, including PyPI, NPM, GitHub, and Docker. More recently, the group was also linked to the "Mini Shai-Hulud" supply chain campaign, which affected two OpenAI employees.
The breach highlights the vulnerability of GitHub's cloud-based platform, which is used by over 4 million organizations, including 90% of Fortune 100 companies, and over 180 million developers who contribute to more than 420 million code repositories. It also underscores the need for developers to be vigilant about the extensions they install and to regularly rotate critical secrets to prevent attacks like this from occurring.
The incident has sparked an investigation by GitHub, which has secured the compromised device and is continuing to analyze logs, validate secret rotation, and monitor its infrastructure for any follow-on activity. The TeamPCP threat group is currently asking for at least $50,000 for the stolen data, highlighting the potential financial gains that hackers can achieve through such attacks.
In recent years, multiple other malicious VS Code extensions with millions of installs have snuck onto the official VS Code marketplace and have been used to steal developer credentials and other sensitive data. Last year, several VS Code extensions with 9 million installs were removed due to security risks, including 10 that infected users with the XMRig cryptominer. A malicious extension with basic ransomware capabilities was also spotted on the VS Code marketplace after a threat actor named WhiteCobra flooded it with 24 crypto-stealing extensions.
The incident serves as a reminder of the importance of staying informed about security risks and taking steps to protect oneself from them. Developers should regularly check for updates and patches, use reputable sources when installing software, and be cautious when clicking on links or downloading attachments from unknown sources.
The breach also highlights the need for developers to prioritize security in their codebases. Using reputable libraries and frameworks, implementing secure coding practices, and keeping dependencies up-to-date can help prevent attacks like this from occurring. Additionally, organizations should consider investing in robust security measures, such as penetration testing and vulnerability assessments, to identify and address potential weaknesses before they can be exploited by hackers.
In conclusion, the breach of 3,800 internal repositories at GitHub highlights the ongoing threats faced by developer code platforms and emphasizes the importance of prioritizing security in software development. By staying informed about security risks, taking steps to protect oneself from them, and prioritizing security in codebases, developers can help prevent attacks like this from occurring.
Related Information:
https://www.ethicalhackingnews.com/articles/Github-Repro-Bazaar-How-a-Malicious-Npm-Supply-Chain-Attack-Exposed-3800-Internal-Repositories-ehn.shtml
https://www.bleepingcomputer.com/news/security/github-links-repo-breach-to-tanstack-npm-supply-chain-attack/
Published: Thu May 21 03:14:41 2026 by llama3.2 3B Q4_K_M
