Skip to main content
Emerging ThreatsData Breaches

GitHub Breach Exposes 3800 Repositories via Poisoned VS Code Extension

Developer workstation with VS Code on laptop and monitor, subtle security threat hinted in background.

Approximately 3,800 of GitHub’s internal repositories were taken after a “poisoned” Visual Studio Code extension briefly slipped onto official extension registries, according to company and maintainer statements.

Malicious Nx Console VS Code extension and the 18‑minute window

GitHub confirmed on 19 May that an attacker gained unauthorized access to 3,800 internal repositories via a compromised VS Code extension found on an employee device. Jeff Cross, CEO of Nx, later confirmed that the popular Nx Console extension was the one that had been poisoned. Nx Console—described in the reporting as providing a graphical interface for managing and running Nx workspace tasks, generators and builds—has 2.2 million installs on the Visual Studio Marketplace and carries a verified publisher badge.

In a report published on GitHub, Cross explained that a malicious version of Vx Console (version 18.95.0) was uploaded to the Visual Studio Marketplace and Open VSX on 18 May. The upload was completed at 12:30 UTC by an individual who posed as a legitimate Nx maintainer. A maintainer unpublished the malicious version a few minutes later, and Microsoft fully registered the takedown at 12:48 UTC—meaning the malicious extension was available on the Visual Studio Marketplace for about 18 minutes.

Credential harvesting, payload behavior, and CVE‑2026‑48027

According to Cross’s account, the compromised extension fetched an obfuscated payload that harvested credentials from multiple sources on disk and in memory. The report lists the affected sources verbatim, including Vault tokens (~/.vault-token, /etc/vault/token; Kubernetes and AWS IAM auth), npm (.npmrc tokens and OIDC token exchange), a range of AWS data (IMDS/ECS metadata, Secrets Manager, SSM, Web Identity tokens), GitHub tokens (ghp_/gho_/ghs_ tokens, Actions secrets, process memory), 1Password (op CLI vault contents if an op session was active), and filesystem items such as private keys, connection strings, and GCP/Docker credentials.

The vulnerability has been assigned CVE‑2026‑48027.

Supply‑chain link to TanStack and the “Mini Shai‑Hulud” campaign

Cross explained that the attacker managed to gain the GitHub credentials of a legitimate Nx developer through a recent supply‑chain compromise of TanStack npm packages. The report characterizes this as part of a broader supply‑chain attack affecting developer ecosystems, commonly known as the Mini Shai‑Hulud campaign. The reporting notes that TanStack is a collection of open‑source developer tools focused on state management, data fetching, tables, routing and virtualization.

Impact on GitHub and the TeamPCP claim to sell data for $95,000

GitHub said it contained the threat, removed the malicious extension version, isolated the endpoint and began incident response immediately. “Critical secrets were rotated yesterday and overnight with the highest‑impact credentials prioritized first,” GitHub added. The company said it continues to analyze logs, validate secret rotation, and monitor for any follow‑on activity and will take additional action as the investigation warrants. GitHub also promised to publish a more detailed report once the investigation is complete.

The breach was claimed by the TeamPCP hacking group. The group first demanded “at least $50,000” for the stolen data before reportedly posting an ad in which TeamPCP appears to partner with the Lapsus$ threat group to sell the stolen data for $95,000. TeamPCP stated that this was “not a ransom” and that they were not interested in extorting GitHub. Instead, they said they would only sell the data to one buyer, were “not interested in under 50k” and that “the best offer will get it.” They certified they would delete the stolen data once a buyer had been found, adding that it appeared their retirement was imminent. They also warned that if no buyer was found, they would leak the data for free.

Responses by Nx, Microsoft, and GitHub

Cross acknowledged Nx’s role and “takes responsibility” for how its software played into the incident, thanking GitHub and Microsoft for help investigating and containing the threat. He said Nx has already begun implementing changes “to our publishing, automation, and extension security posture.” Specifically, Cross said the company has hardened its Nx Console publishing pipeline so that “two admins need to manually approve the release.”

Microsoft registered the takedown at 12:48 UTC and GitHub’s reported mitigation steps included isolating the impacted endpoint, rotating critical secrets with highest‑impact credentials prioritized, and continuing log analysis and monitoring.

What this means for technologists, open‑source maintainers, and enterprises

  • Technologists and security teams: The report states that anyone who was running VS Code with the Nx Console extension installed and auto‑update enabled “should assume they were compromised” and should rotate any authentication keys stored on disk—including tokens, secrets, SSH keys and any type of credentials.
  • Open‑source maintainers: Nx has moved to require two‑admin manual approval for publishing and plans to engage other high‑profile maintainers in conversations about structural supply‑chain security changes. Cross called for “deeper, more fundamental changes” to how maintainers think about securing developer tooling and distribution.
  • Enterprises and procurement leaders: GitHub prioritized rotation of “highest‑impact credentials” and is validating that rotation while monitoring for follow‑on activity; organizations should track those signals and await GitHub’s more detailed post‑incident report.

This incident compresses several chronic supply‑chain risks into a brief, observable window: a poisoned extension, credential‑harvesting payloads, a rapid takedown, and an immediate claim to sell stolen internal repositories. GitHub’s promise of a fuller report and Nx’s publishing‑pipeline changes are concrete steps; whether the broader conversations Cross hopes for lead to systemic, cross‑maintainer safeguards remains the next provable outcome to watch.

Original reporting