GitHub says the hackers who breached 3,800 internal repositories gained access via a malicious version of the Nx Console VS Code extension, compromised in last week’s TanStack npm supply-chain attack.
This attack is attributed to the TeamPCP threat group and began with the compromise of dozens of TanStack and Mistral AI npm packages, then quickly extended to other projects (including UiPath, Guardrails AI, and OpenSearch) using stolen CI/CD credentials.
TeamPCP was linked to other major supply chain attacks targeting developer code platforms, including PyPI, NPM, GitHub, and Docker, and, more recently, to the “Mini Shai-Hulud” supply chain campaign (which also affected two OpenAI employees).
GitHub revealed the breach on Tuesday, saying it was investigating claims of unauthorized access to its internal repositories and telling BleepingComputer that the incident resulted from an employee installing a malicious Visual Studio Code (VS Code) extension, without disclosing the extension’s name.
In a blog published Wednesday evening, GitHub CISO Alexis Wales said the breach involved a malicious version of Nx Console, the official Visual Studio Code marketplace extension for Nx, that allows developers to manage large repos and multi-project codebases without relying entirely on complex Terminal CLI commands.
Wakes added that GitHub has since secured the compromised device and has yet to find evidence that customer data stored outside the affected repos has been stolen.
“We rotated critical secrets Monday and into Tuesday with the highest-impact credentials prioritized first,” Wales said. “We continue to analyze logs, validate secret rotation, and monitor our infrastructure for any follow-on activity. We will take additional action as the investigation warrants.”
While GitHub has yet to attribute the attack to a specific hacking group or threat actor, the TeamPCP cybercrime gang claimed access to GitHub source code and “~4,000 repos of private code” on the Breached forum on Tuesday, and is now asking for at least $50,000 for the stolen data.
This comes after the Nx devs revealed on Monday that they were jointly investigating the impact of the attack with GitHub and Microsoft, after a malicious version of Nx Console 18.95.0 was available on the Visual Studio Marketplace for approximately 18 minutes and on OpenVSX for another 36 minutes.
The poisoned extension deployed a malicious payload designed to steal credentials and secrets for a wide range of platforms, including npm, AWS, Kubernetes, GitHub, and GCP/Docker.
“One of our developers was compromised by a recent supply-chain compromise on Tanstack, which leaked their GitHub credentials through the GitHub CLI (gh). This allowed the attacker to run workflows on our GitHub repository as a contributor,” the NX team said.
“According to Microsoft and OpenVSX, download numbers for the impacted 18.95.0 version were a low 28 and 41 respectively. [..] Two days after the attack, our analytics have registered approximately 6000 extension activations from VSCode and 0 from other editors (including VSCode forks like Cursor).”
In recent years, multiple other malicious VS Code extensions with millions of installs have snuck on the official VS Code marketplace and have been used to steal developer credentials and other sensitive data.
Last year, several VS Code extensions with 9 million installs were removed due to security risks, including 10 that infected users with the XMRig cryptominer, while a malicious extension with basic ransomware capabilities was later spotted on the VS Code marketplace after the threat actor WhiteCobra flooded it with 24 crypto-stealing extensions.
In January, two more extensions posing as AI-based coding assistants, with 1.5 million installs, were used to exfiltrate data from compromised developer systems to servers in China.
GitHub’s cloud-based platform is used by more than 4 million organizations (including 90% of Fortune 100 companies) and over 180 million developers who contribute to more than 420 million code repositories.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.