Home > Security > Security News

3,800 Internal GitHub Repositories Lost Due to Malicious Nx Console VS Code Extension

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
Trojan Horse - Nx Console Update - Internal Repositories - Credential Tokens - Broken Security Locks - Splintered Data Files - Developer Entryway
Summarize with:
ChatGPT logo ChatGPT Claude.ai logo Claude.ai Google AI logo Google AI Grok logo Grok Perplexity logo Perplexity
Google logo Add as preferred source on Google
Key Takeaways
  • Massive Data Compromise: GitHub lost 3,800 internal repositories during a targeted security incident linked to the TanStack compromise and GitHub CLI.
  • Malicious Update Vector: A poisoned Nx Console VS Code extension enabled unauthorized access to the company’s infrastructure.
  • Supply-Chain Risk: The extension breach exposed sensitive developer credentials, introducing severe operational vulnerabilities.

A recent GitHub cybersecurity incident resulted in the loss of 3,800 internal repositories. The unauthorized network access was enabled through a poisoned developer utility – a malicious update to the Nx Console Visual Studio Code (VS Code) extension that fetched an obfuscated payload that harvested credentials from multiple sources on disk and in memory. GitHub identified the TanStack compromise and GitHub CLI as the attack vectors. 

The update is part of an investigation into potential unauthorized access to its internal repositories following the TeamPCP threat actor's claim of breaching approximately 4,000 GitHub repositories related to the company's internal infrastructure.

Malicious Nx Console VS Code Extension

The compromised Nx Console extension, which has 2.2 million installs and a verified publisher badge, served as the primary vector for the intrusion, allowing attackers to bypass standard perimeter security controls and access GitHub's internal proprietary infrastructure. The same build also went out on OpenVSX.

GitHub follow-up announcement on the TeamPCP data breach claim | Source: GitHub on X
GitHub follow-up announcement on the TeamPCP data breach claim | Source: GitHub on X

Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension,” GitHub has announced. “Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only.”

Version 18.95.0 of the Nx Console extension was uploaded to the Visual Studio Marketplace at 12:30 UTC on May 18, remaining exposed for about 18 minutes until Microsoft fully registered the takedown at 12:48 UTC. 

Harvested data was exfiltrated via HTTPS, the GitHub API, and DNS, while on Linux, it also attempted sudoers injection for persistence. Impacted credentials include:

Supply Chain Risk

Following the deployment of the poisoned Nx Console update, the company said it removed the malicious extension version, isolated the endpoint, and immediately began incident response. GitHub said it rotated critical secrets, prioritizing the highest-impact credentials.

Auto-update gives an attacker who controls a release a direct push channel into every machine running that extension,” the Aikido researchers said. “Marketplaces don't impose any review gate or waiting period between when an update is published and when installed clients pull it in.”

Nx Console 18.100.0 is the latest version to update to. If you were affected or suspect you may have been affected:

Recently, Grafana Labs announced a GitHub breach following Coinbase Cartel intrusion claims. Last week, TeamPCP claimed a Mistral AI breach around the same time the company announced it was impacted by the TanStack supply chain attack.

In March, researchers at Socket analyzed a GitHub phishing campaign using fake VS Code alerts to urge developers to patch fabricated CVEs. In October 2025, malicious VS Code extensions delivered TigerJack malware, infecting over 17,000 developers.

Add a Comment
Related
huawei building
Huawei Zero-Day Vulnerability Caused Luxembourg Telecom Outage
Microsoft Disrupts Fox Tempest Malware-Signing-as-a-Service Operation Linked to Qilin, Akira, More
Verizon Report: AI Accelerates Software Vulnerability Exploits, Overtaking the Stolen Credentials Method as the Leading Attack Vector
github
GitHub Investigates TeamPCP Claimed Breach of 4,000 Repositories
CISA Contractor Exposed AWS GovCloud Keys in Public GitHub Repository, Report Says 
SHub Infostealer Variant Reaper Compromises macOS Systems, Steals iCloud Data 
Most Popular
Enterprise Security was Built Around Data Loss While AI Agent Autonomy Enables Action Abuse
huawei building
Huawei Zero-Day Vulnerability Caused Luxembourg Telecom Outage
Spot Fake Remote Workers Who Bypass Hiring and Security Checks 
Microsoft Disrupts Fox Tempest Malware-Signing-as-a-Service Operation Linked to Qilin, Akira, More
Verizon Report: AI Accelerates Software Vulnerability Exploits, Overtaking the Stolen Credentials Method as the Leading Attack Vector
github
GitHub Investigates TeamPCP Claimed Breach of 4,000 Repositories
Enterprise Security was Built Around Data Loss While AI Agent Autonomy Enables Action Abuse
Huawei Zero-Day Vulnerability Caused Luxembourg Telecom Outage
Spot Fake Remote Workers Who Bypass Hiring and Security Checks 
Microsoft Disrupts Fox Tempest Malware-Signing-as-a-Service Operation Linked to Qilin, Akira, More
Verizon Report: AI Accelerates Software Vulnerability Exploits, Overtaking the Stolen Credentials Method as the Leading Attack Vector
GitHub Investigates TeamPCP Claimed Breach of 4,000 Repositories

Most Popular
Enterprise Security was Built Around Data Loss While AI Agent Autonomy Enables Action Abuse
huawei building
Huawei Zero-Day Vulnerability Caused Luxembourg Telecom Outage
Spot Fake Remote Workers Who Bypass Hiring and Security Checks 
Microsoft Disrupts Fox Tempest Malware-Signing-as-a-Service Operation Linked to Qilin, Akira, More
Verizon Report: AI Accelerates Software Vulnerability Exploits, Overtaking the Stolen Credentials Method as the Leading Attack Vector
github
GitHub Investigates TeamPCP Claimed Breach of 4,000 Repositories
Enterprise Security was Built Around Data Loss While AI Agent Autonomy Enables Action Abuse
Huawei Zero-Day Vulnerability Caused Luxembourg Telecom Outage
Spot Fake Remote Workers Who Bypass Hiring and Security Checks 
Microsoft Disrupts Fox Tempest Malware-Signing-as-a-Service Operation Linked to Qilin, Akira, More
Verizon Report: AI Accelerates Software Vulnerability Exploits, Overtaking the Stolen Credentials Method as the Leading Attack Vector
GitHub Investigates TeamPCP Claimed Breach of 4,000 Repositories

TechNadu keeps you informed with the latest in cybersecurity, VPNs, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2026 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: