Skip to main content
Emerging ThreatsData Breaches

GitHub Breach Exposes 3,800 Repositories via Malicious VS Code Extension

Developer workstation with laptop, coding tools, and scattered papers.

"We have no evidence of impact to customer information stored outside of GitHub's internal repositories, such as our customer's own enterprises, organizations, and repositories," Alexis Wales, Chief Information Security Officer of GitHub, said in a statement.

How a poisoned VS Code extension became an entry point

GitHub confirmed the breach originated with a compromised employee device that installed a trojanized version of the Nx Console Microsoft Visual Studio Code extension, distributed under the package name nrwl.angular-console. The malicious build was available on the Visual Studio Marketplace for exactly eighteen minutes — between 12:30 p.m. and 12:48 p.m. UTC on May 18, 2026 — but that brief window was sufficient for attackers to push a credential-stealing payload into developer environments.

According to OX Security researcher Nir Zadok, the extension “looked and behaved like normal Nx Console, but on startup it silently ran a single shell command that downloaded and executed a hidden package from a planted commit on the official nrwl/nx GitHub repository.” The command was disguised as a routine MCP setup task so it would not raise suspicion. The deployed credential stealer targeted a range of developer secrets, claiming the ability to harvest data from 1Password vaults, Anthropic Claude Code configurations, npm, GitHub, and Amazon Web Services.

Scale and immediate containment actions

GitHub said the intruder — a cybercriminal group known as TeamPCP — exfiltrated about 3,800 repositories from GitHub's internal repositories. The company said it had taken steps to contain the incident and rotated critical secrets, and that it is continuing to monitor for follow-on activity. GitHub also noted that some internal repositories contain customer-derived materials, such as excerpts of support interactions, and pledged to notify customers via established incident response and notification channels if any impact is discovered.

The pattern TeamPCP exploits: chained trust and developer tooling

TeamPCP has rapidly gained notoriety for large-scale software supply chain attacks, specifically targeting widely used open-source projects and security-adjacent developer tools. The group's playbook highlights an interconnected, self-sustaining cycle: compromise a trusted tool, harvest credentials from developer systems that use it, then use those credentials to breach the next legitimate target. The Nx Console incident demonstrates that even a short-lived malicious release can kick-start that cycle.

Jeff Cross, co-founder of Narwhal Technologies (the company behind nx.dev), wrote on X that “this incident highlights that there need to be deeper, more fundamental changes to how we and other maintainers need to think about securing developer tooling and open source distribution.” He said Narwhal is beginning conversations with other high-profile open source maintainers about tackling “deeper structural problems around software supply chain security.”

Auto-update, marketplaces, and the direct-push risk

Security researchers pointed to default auto-update behavior in extension marketplaces as a critical enabler. Aikido security researcher Raphael Silva observed that “Every popular extension marketplace ships with auto-update on by default. VS Code, Cursor, the whole lineup.” Silva noted the convenience rationale — most developers do not update manually — but added a sharp caveat: auto-update “gives an attacker who controls a release a direct push channel into every machine running that extension.” He also said marketplaces typically do not impose a review gate or waiting period between publication and when installed clients pull an update, shortening the window for detection and response.

What this means for Narwhal Technologies, open-source maintainers, and enterprise security teams

  • Narwhal Technologies and the Nx team: The company has acknowledged the breach of its extension and, per Jeff Cross, is initiating cross-maintainer conversations about “deeper structural problems” in distribution and tooling security.
  • Open-source maintainers: The incident underscores pressure to reconsider release practices, developer-editor extensions, and distribution safeguards — particularly around automated updates and the ability for attackers to publish malicious releases quickly.
  • Enterprise security teams and developers: GitHub's rotation of critical secrets and its monitoring for follow-on activity reflect immediate defensive steps; organizations that integrate developer tooling and rely on extension marketplaces will need to assess exposure to credential theft from local developer environments and the downstream impact on access to cloud and package repositories.

The episode is a compact case study in how supply chain compromises spread: a poisoned editor extension, an eighteen-minute distribution window, a credential stealer that targets vaults and cloud credentials, and the exfiltration of thousands of internal repositories. GitHub's public steps — containment, secret rotation, monitoring and customer notification if required — follow directly from the mechanics of the intrusion. The unresolved question the incident leaves on the table is structural: how to prevent a single malicious update from becoming a direct push to thousands of developer machines when marketplaces ship auto-update by default.

Original story