GitHub has confirmed that the recent breach of its internal repositories was linked to a compromised employee device infected through a poisoned version of the Nx Console Visual Studio Code extension. The incident highlights how trusted developer tools can become powerful attack paths when attackers compromise software supply chains.
The malicious extension, identified as nrwl.angular-console, was reportedly affected after a developer system connected to the Nx project was compromised following the recent TanStack supply chain attack. The broader campaign has also impacted several well-known technology companies, showing how one compromise can quickly spread across connected developer ecosystems.
GitHub said its current investigation found no evidence that customer repositories, enterprises, organizations, or customer data stored outside GitHub’s internal repositories were affected. However, some internal repositories may contain limited customer-related information, such as excerpts from support interactions. GitHub said it will notify affected customers through official channels if any impact is confirmed.
The attack is believed to have allowed the threat actor known as TeamPCP to exfiltrate around 3,800 internal repositories. GitHub has since contained the incident, rotated critical secrets, and continues to monitor for follow-on activity.
What makes this case especially concerning is the short exposure window. The trojanized extension was reportedly available on the Visual Studio Marketplace for only 18 minutes, yet that was enough time to distribute a credential stealer. The malware was designed to collect sensitive data from developer environments, including password vaults, GitHub tokens, npm credentials, cloud access keys, and AI tool configurations.
Researchers said the extension looked and behaved like the normal Nx Console tool. On startup, however, it silently executed a hidden command that downloaded and ran malicious code from a planted commit in the official repository. Because the command appeared like a routine setup task, it was less likely to raise suspicion.
This incident shows a growing problem in modern software development: auto-updating extensions and trusted marketplaces can become dangerous if a publisher account or release process is compromised. Attackers can push malicious updates directly to developer machines before teams even realize something is wrong.
Cybersecurity companies like IntelligenceX help organizations understand and reduce these risks through developer environment protection, software supply chain security, credential monitoring, and secure CI/CD practices.
For security teams, the key lesson is clear: review installed extensions, restrict auto-updates where possible, monitor developer endpoints, rotate exposed secrets, and treat compromised developer tools as serious infrastructure-level incidents.
Top comments (0)