GitHub formally acknowledged on Wednesday that the compromise of its internal repositories was the result of a compromise of an employee’s device involving a poisoned version of the Microsoft Visual Studio Code (VS Code) extension for the Nx Console.
This development comes after the Nx team revealed that the extension nrwl.angular-console was compromised after one of the developer’s systems was hacked following the recent TanStack supply chain attack. Other companies affected by the TanStack breach include OpenAI, Mistral AI, and Grafana Labs.
“We have no evidence that customer information stored outside of GitHub’s internal repositories, such as customers’ own companies, organizations, or repositories, is impacted,” Alexis Wales, GitHub’s chief information security officer, said in a statement.
“Some of GitHub’s internal repositories contain information from our customers, including excerpts from their interactions with support. If we discover any impact, we will notify customers through our established incident response and notification channels.”
The attack is said to have resulted in the threat actor, a cybercriminal group known as TeamPCP, exfiltrating approximately 3,800 repositories. GitHub said it has taken steps to contain the incident and rotated sensitive information, adding that it continues to monitor the situation for follow-up actions.
“This incident highlights the need for deeper and more fundamental changes in how we and other maintainers need to think about the safety of developer tools and open source distribution,” Jeff Cross, co-founder of Narwhal Technologies, the company behind nx.dev, said in a post on X.
“We’re also starting conversations with other prominent open source managers about how we can collaborate on some of the deeper structural issues around software supply chain security. Many of the assumptions that the ecosystem has operated on for years no longer apply.”
In recent months, TeamPCP has rapidly gained notoriety for large-scale software supply chain attacks, particularly targeting widely used open source projects and security-related tools that developers rely on.
It’s worth noting here that the trojanized version of the VS Code extension was only available on the Visual Studio Marketplace for 18 minutes (between 12:30 PM and 12:48 PM UTC on May 18, 2026). However, this short amount of time was enough for the attacker to distribute a credential stealer that could collect sensitive data from 1Password vaults, Anthropic Claude Code configurations, npm, GitHub, and Amazon Web Services (AWS).
“The extension looked and behaved like the regular Nx Console, but upon startup it silently executed a single shell command that downloaded and executed a hidden package from a commit planted in the official nrwl/nx GitHub repository,” said OX Security researcher Nir Zadok. “This command was disguised as a routine MCP setup task to avoid arousing suspicion.”
The interlinked nature of modern software has allowed TeamPCP to unleash a new self-sustaining cycle of compromise. The pattern that drives home this aspect is deceptively simple, yet malicious. It compromises a trusted tool, steals credentials from developer systems on which it might be installed, and uses those credentials to compromise the next legitimate tool.
“All popular extension marketplaces ship with auto-updates turned on by default: VS Code, Cursor, the entire lineup,” said Raphael Silva, Aikido security researcher. “This reasoning makes sense on its own because most developers don’t manually update anything, so leaving it off will leave a long tail of editors running old and vulnerable code.”
“This trade-off loses meaning when you consider a hostile/compromised publisher. Auto-updates give an attacker in control of a release a direct push channel to all machines running that extension. Marketplaces don’t impose review gates or waiting periods between when an update is published and when installed clients pick it up.”
Source link
