Full Report
GitHub on Wednesday officially confirmed that the breach of its internal repositories was the result of a compromise of an employee device involving a poisoned version of the Nx Console Microsoft Visual Studio Code (VS Code) extension. The development comes as the Nx team revealed that the extension, nrwl.angular-console, was breached after one of its developers' systems was hacked in the
Analysis Summary
# Incident Report: GitHub Internal Repository Breach via Malicious VS Code Extension
## Executive Summary
GitHub confirmed an unauthorized breach of approximately 3,800 internal repositories resulting from a compromised employee device. The incident was part of a larger supply chain attack orchestrated by the threat actor "TeamPCP," who poisoned a popular VS Code extension to harvest credentials. While internal source code and support interaction excerpts were accessed, GitHub reports no evidence of impact on customer-owned repositories or data stored outside GitHub's internal systems.
## Incident Details
- **Discovery Date:** May 2026 (Investigation ongoing)
- **Incident Date:** May 18, 2026 (Extension compromise window: 12:30 PM – 12:48 PM UTC)
- **Affected Organization:** GitHub (alongside Nx, OpenAI, Mistral AI, and Grafana Labs)
- **Sector:** Technology / Software Development
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** May 18, 2026 (12:30 PM UTC)
- **Vector:** Software Supply Chain Attack / Malicious VS Code Extension
- **Details:** Attackers compromised a developer system at Narwhal Technologies (Nx) following a prior attack on TanStack. This allowed them to publish a poisoned version of the "Nx Console" VS Code extension (`nrwl.angular-console`) to the Visual Studio Marketplace.
### Lateral Movement
- The poisoned extension executed a shell command disguised as a routine "MCP setup task."
- This command downloaded a secondary malicious package from a planted commit on the official `nrwl/nx` repository, which acted as a credential stealer targeting local developer environments.
### Data Exfiltration/Impact
- **What was stolen:** Credentials from 1Password vaults, Anthropic Claude Code configurations, npm, GitHub, and AWS.
- **Impact:** Using stolen credentials, the threat actor exfiltrated approximately 3,800 of GitHub's internal repositories.
### Detection & Response
- **How it was discovered:** Internal monitoring and investigation following the broader TeamPCP supply chain campaign.
- **Response actions taken:** GitHub isolated the affected employee device, rotated critical secrets, and began notifying affected customers whose support data may have been in the internal repositories.
## Attack Methodology
- **Initial Access:** Compromised legitimate developer credentials used to publish a malicious update to a trusted VS Code extension.
- **Persistence:** Utilization of VS Code’s "auto-update" feature to push the malicious code to all installs automatically.
- **Defense Evasion:** Malicious shell command was disguised as a "routine MCP setup task"; the malicious version was only live for 18 minutes to minimize the forensic footprint.
- **Credential Access:** Harvesting data from 1Password, `.npmrc`, AWS config files, and AI tool configurations (Claude Code).
- **Collection:** Automated scanning of local developer directories for sensitive configuration files.
- **Exfiltration:** Transfer of 3,800 internal repositories to threat actor-controlled infrastructure.
- **Impact:** Compromise of internal source code and historical customer support interactions.
## Impact Assessment
- **Financial:** Undisclosed, but involves significant engineering hours for secret rotation and forensic auditing.
- **Data Breach:** ~3,800 internal repositories; potential exposure of customer support excerpts.
- **Operational:** Disruption to internal development workflows during containment and remediation.
- **Reputational:** High public visibility due to GitHub’s role as a trusted platform for global software development.
## Indicators of Compromise
- **File indicators:** `nrwl.angular-console` version 18.95.0 (compromised version).
- **Behavioral indicators:** VS Code executing unexpected shell commands downloading external packages from GitHub commits during startup; unauthorized access to `~/.aws/credentials`, `~/.npmrc`, and 1Password local databases.
## Response Actions
- **Containment:** Quarantine of the compromised employee laptop and immediate removal of the malicious extension from the marketplace.
- **Eradication:** Rotation of all exposed critical secrets (API keys, tokens, and certificates).
- **Recovery:** Restoration of secure development environments and ongoing monitoring for follow-on exploitation using exfiltrated code.
## Lessons Learned
- **The "Auto-Update" Paradox:** While auto-updates ensure security patches, they also provide a direct "push channel" for attackers who compromise a publisher.
- **Extension Trust:** VS Code extensions run with the privileges of the user and represent a significant, often overlooked, blindsided attack surface for developers.
- **Interlinked Supply Chains:** A compromise in one tool (TanStack) can cascade into others (Nx) and eventually breach major infrastructure (GitHub).
## Recommendations
- **Developer Environment Hardening:** Implement strict EDR monitoring for IDE processes (like VS Code or Cursor) that attempt to execute shell commands or access credential stores.
- **Extension Managed Lists:** Organizations should consider using "Extension allow-lists" rather than allowing arbitrary marketplace installs.
- **Secret Management:** Move away from storing long-lived credentials in local config files; utilize short-lived tokens and OIDC-based authentication where possible.