Poisoned VS Code extension found

On May 24, OX Security published research tying a poisoned Visual Studio Code extension to a broader supply-chain campaign that touched GitHub, OpenAI and Mistral-linked developer environments. (ox.security) GitHub had already disclosed on May 20 that an employee device was compromised through a “poisoned VS Code extension,” leading to unauthorized access to GitHub-owned repositories. The company said its current assessment was that the activity involved exfiltration of GitHub-internal repositories only, and that the attacker’s claim of about 3,800 repositories was “directionally consistent” with the investigation. (github.blog) The extension at the center of the public advisories was Nx Console version 18.95.0, according to the project’s GitHub security advisory. (github.blog) That advisory said the malicious build was published to the Visual Studio Marketplace at 12:30 p.m. UTC on May 18 and removed at 12:48 p.m. UTC, leaving it available for about 18 minutes. (ox.security) ### How did a VS Code extension become the entry point? Nx Console is a developer extension for working with Nx projects inside editors such as VS Code. The Nx Console advisory said the poisoned 18.95.0 build was distributed through the official marketplace, and later updates to the advisory said investigators linked the compromise to the earlier TanStack incident and a GitHub CLI token theft path. (github.blog) OX Security said the malicious extension looked legitimate but executed a hidden command on startup, pulling a payload from a planted commit and turning the editor into an access point for credentials and code. OX attributed the operation to TeamPCP, the same group it has linked to recent supply-chain attacks involving npm and PyPI packages. (github.com) ### What did GitHub say was taken? GitHub said on its security blog that it removed the malicious extension version, isolated the affected endpoint and began incident response on May 18. The company also said it had no evidence of impact to customer information stored outside GitHub’s internal repositories, including customer enterprises, organizations and repositories. (github.com) BleepingComputer reported that GitHub connected the repository breach to the malicious Nx Console build and the wider TanStack supply-chain attack. Independent reporting and OX’s analysis said the same campaign also affected environments tied to OpenAI and Mistral AI, though those companies have not posted equivalent public incident write-ups on their main sites in the material reviewed here. (ox.security) ### Where do OpenAI and Mistral enter the story? Mistral has published a security advisory saying a TanStack supply-chain attack affected Mistral AI SDK packages and was mitigated. That advisory does not describe the GitHub breach, but it places Mistral inside the same broader campaign family cited by OX and other security reporting. (github.blog) OpenAI appears in secondary reporting about the campaign’s spread across developer tooling and repositories. In the sources reviewed, OpenAI’s public site includes general security material but no standalone incident advisory matching GitHub’s or Mistral’s level of detail on this specific extension compromise. (bleepingcomputer.com) ### Why are researchers focused on “edit-time” tampering? OX Security said the attack showed how malicious code can be inserted inside normal developer workflows, at the point where code is opened, edited or built inside an IDE. That is a supply-chain problem because the compromise rides through trusted tools rather than a direct intrusion into production systems. (docs.mistral.ai) GitHub’s post and the Nx Console advisory are still being updated as investigators refine scope. The Nx Console advisory includes remediation steps and timestamps for the compromised release, while GitHub said it would continue monitoring for follow-on activity as the investigation proceeds. (github.com) (ox.security) (notebookcheck.net)